Do prepared queries mean that we let the attacker think they've gotten in, when in reality we just execute our own code with their input? 

Can you re-explain SQL injection on the board please?

I'm still a little unclear on how prepared queries avoid the issue of an injection attack, couldn't extra information that alters a database still be added in the 'list_of_values' parameter when running curs.execute(sql_with_placeholders, list_of_values)?


Why does %s prevent string inputs from being treated as extra code to run?  Something about the separation of preparation and execution?  Does the executer throw an error if it gets extra material where a single input was expected?  Can you use %s to search a database of sql commands?

If PyMySQL doesn't use prepared queries, then why isn't it vulnerable to SQL injections?  What does it do instead?

So can %s be a value of any length?