No, if you use ready-made statements throughout your application, you can be safe from SQL injection. However, an important “catch” is a 2nd order injection attack, which occurs when some requests use prepared statements, while others do not.

According to this answer of a similar question on SO:

prepared statements / parameterized queries are sufficient to prevent 1st order nesting in this statement. If you use unverified dynamic sql anywhere else in your application, you are still vulnerable to 2nd order injections.

In conclusion, prepared statements create a separation between the data being sent and the SQL query itself, ensuring that the data cannot be misinterpreted as an SQL query. However, an attacker can still enter SQL as data, and although it will not be executed when it is first saved, if you use prepared statements, you should still be careful when obtaining the specified results. Prepared statements protect your application in this particular place, but since SQL is still allowed to be stored in the database, your application is unsafe if you later use this data without parameterization.