This is the gold standard. The database treats the input strictly as data, not part of the command.
If an application is configured to display database errors to the user, an attacker can use specific functions to intentionally trigger an error that contains sensitive data. sql injection payloads
If the site takes 5 seconds to load, the condition was true. Advanced and Obfuscated Payloads This is the gold standard
Use allow-lists to ensure input matches expected formats (e.g., an ID must be an integer). an ID must be an integer).