I am trying to understand prepared statement and what it does.
"Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker. In the safe example below, if an attacker were to enter the userID of tom' or '1'='1, the parameterized query would not be vulnerable and would instead look for a username which literally matched the entire string tom' or '1'='1. "
If an attacker input: userID of tom' or '1'='1
what will prepared statement detect as a userID?
Is that true? If all of them userID: tom' or '1'='1
then the SQLIA will be successful correct ?