How to defend against SQL Injection

Some time ago I went to listen to the internal 4399 mobile game boss and talked about some php security knowledge, some of which I have never heard of, some of which I have heard of, and I think it is better, the principle of SQL injection is very simple, that is, the data input by the user. The program also runs the data as a command, which produces SQL injection to solve this problem, it's also very simple .. if I treat user input data as data rather than program execution, then SQL injection will naturally not occur. how does one regard user input as data instead of a program? The method is to use SQL pre-compile to get familiar with java ee. It should be clear that hibernate often sees similar Syntax: insert into table (username, password) values (?,?); In fact, this syntax is provided by the database rather than compiled by hibernate. This method is actually pre-compiled, and the completed SQL statement is prepare pstmt from 'insert into table (username, password) values (?,?) '; Prepare: Database keyword pstmt: Name the pre-compiled function (which will be called later based on the name, which can be understood as a custom function name in popular terms) from: insert into table (username, password) values (?,?) It is the pre-compiled SQL statement. The next call is set @ username = 'I am the username' set @ password = 'I am the password' execute pstmt using @ username, @ password; can pre-compilation greatly improve the defense against SQL Injection? I think it should be impossible. As long as the data in this world is stored on the Internet, it is not safe.