Prepared Statements
Prepared statements are a database engine concept. The engine creates a query template and stores it on the server.
At run time, the client sends only the statement's name and the parameters. The server then runs the query with those parameters.
The question marks in the database logs are the placeholders. When you see them, the query is running as a prepared statement.
Database engines use prepared statements to cache queries.
SQL Injection protection is a side effect.
SQL Injection Protection
With prepared statements, the engine treats the parameters as data, not as part of the query.
Without prepared statements, the whole query is one string. The engine parses that string and runs it. This is what opens the door to SQL Injection.
With prepared statements, the query is fixed. The values are passed in with specific types.