Bind variables keep input as data so it cannot alter query structure (CWE-89) — manual escaping is incomplete and bypassable, keyword-stripping breaks valid input and misses encodings, and read-only rights limit impact but do not stop injection or data theft.
Official docs