I want to secure parameterized SQL query from SQL injections. I have gone through an article which described about avoiding SQL injections using PreparedStatement. link
According to the article it describes that preparedstament helps to pick Pre-Compiled Query from Cache and laceholders are replaced with user data at the final step and the query won't be compiled again. Therefore it will help to avoid SQL injection if someone provide sql query as a user input since the query will be compiled only once.
But what happens if someone gives string with special characters such as 'x'='x'. For example, when placeholders are replaced with user data like 'x'='x' in the final query like "SELECT * FROM users WHERE username = 'blah' AND password = 'foo' OR 'x'='x'". How does Java PreparedStatement deal with these type of special characters?
Can anybody please help me to understand this