I don't understand why not using prepared queries can be a security risk in SQL injection?

How are prepared queries different than string interpolation? I understand that it is a safer method, but it looks just like string interpolation. 

I'm still not getting how prepared queries save us from attacks. Are we just not preparing bad queries? Shouldn't we have delete all in case it is useful sometime? 

Why is person_lookup_good() better than person_lookup_bad()?  To me it looks like there's no checks on 'nm' to check that it's not 'Robert'; drop table person; -- ' or something.


I'm confused what the prepared queries can do that are different than the queries we were doing using MySQL in the first few weeks. 

Could you go over prepared queries one more time, please?