Yes, but a qualified yes.
You need to properly escape 100% of the input. And you need to properly set character sets (If you’re using the C API, you need to call the mysql_set_character_set()
instead of SET NAMES
). If you miss one tiny thing, you’re vulnerable. So it’s yes, as long as you do everything right…
And that’s the reason a lot of people will recommend prepared queries. Not because they are any safer. But because they are more forgiving…