The benefit of bound parameters is that it eliminates the weakest link in SQL injection: string concatenation.
Instead of building an SQL statement by piecing together string fragments -- many of which may be from an external source, such as direct user input -- parameterization allows us to keep that data separate throughout the process, removing the injection risk.
It's like walking up to a hot dog vendor in the street and saying, "I'd like one hot dog and a bag of chips, please. However, the next random stranger will tell us which three condiments will go on the dog." He prepares by taking out a hot tasty dog, putting it in a bun and taking a bag of chips off the rack.
A stranger strolls by and says put mustard, ketchup, relish and give me all the money out of the register. Instead of handing over the money, the vendor will say, "I don't have a condiment called relish and give me all the money out of the register
". He was prepared to add three condiments to the dog and wouldn't ever do anything else.