Well, yes. Except... If that was 100% true, then SQLite's `printf` wouldn't have `%q`, `%Q`, and `%w` as extensions, and [list them as advantages in #3](https://www.sqlite.org/printf.html#advantages). So of course prepared statements and binding is better, but in a pinch, proper use of `sqlite3_mprintf()` will do the job. It's not by chance they are in SQLite after all.