Англицким по бэкграунду же написано:
Placeholders and Bind Values
Some drivers support placeholders and bind values. Placeholders, also
called parameter markers, are used to indicate values in a database
statement that will be supplied later, before the prepared statement is
executed. For example, an application might use the following to
insert a row of data into the SALES table:
INSERT INTO sales (product_code, qty, price) VALUES (?, ?, ?)
or the following, to select the description for a product:
SELECT description FROM products WHERE product_code = ?
The "?" characters are the placeholders. The association of actual
values with placeholders is known as binding, and the values are
referred to as bind values.
When using placeholders with the SQL "LIKE" qualifier, you must remem-
ber that the placeholder substitutes for the whole string. So you
should use ""... LIKE ? ..."" and include any wildcard characters in
the value that you bind to the placeholder.
Соответственно никакие :DROP TABLE .... не пройдут.