But this is stupid evidence, or is there some other way around it.
No, you should know what you are doing. If you use the associated parameters (the function that MySqli comes with), you are completely protected from attacks such as injections from this attack vector. This does not prevent you - the programmer - from directly embedding strings and thereby allowing injection attacks. You must use this function as intended.
Re: Edit
What I had to say in order to start with the fact that I use prepared statements. This is what I meant with mysqli. If I use prepared statements without any string concatenation, then is that safe?
This is probably a dangerous word. But you are protected from injection attacks for variables that are linked using prepared instructions. This is because related parameters are passed separately from the SQL query. When using the "traditional" approach of embedding strings, the database server must analyze the input data, and there are many edge cases (Charsets, etc.). When the data and the request are sent separately, the actual parsing is not performed (at least not parsing the variable data).