can you explain a bit more one what the place holder %s do?

I still don't understand how prepared queries protect again SQL injection. What happens if someone passes in '123 or 1 = 1' as nm into our function anyway?

Can we review prepared queries again and how multiple %s values work? 

Can we go over the right and wrong way to do a parameterized query again and what the difference is?