Parameterized queries and statements are great. They solve problems where the paramaterized queries are used. However care must be taken, a script running on the database after information has been entered can still inject long after the initial parameterized statement put it into the database if that script itself does not use parameterized queries, making a SQL injection still work, in a delayed way.