当然可以.

如果in_var等于' UNION SELECT password from admins --怎么办?

为避免这种情况，您不应使用 cargo cult 预处理语句，而应使用真实的语句，用占位符代替变量.

To avoid that, you should use not a cargo cult prepared statement but a real one, substituting your variable with a placeholder.

SET @query = CONCAT("SELECT * FROM my_table  WHERE my_column = ? LIMIT 1;");

PREPARE stmt FROM @query;
EXECUTE stmt USING @in_var;