But I feel like perhaps your understanding of paramaterised queries might be a little different from what they actually do.
it's not simple string replacement, to my knowledge (such as in PHP there, putting vars in a string), rather (again, my knowledge is also limited) I believe they're for values I'm not sure you can do what you're trying to achieve here with the tables as a parameter.
But I could be very wrong.
TL:DR; might be best to do some reading on parameterised queries :)
Then you can be the expert and inform us both :P
I see in that PR you're not actually doing anything with the tables anyway (they're a statically defined string, used once). I might suggest you simply put them into the query directly, and just have the single
? for the
well, maybe not inline them directly, but continue using the variable to build the param'd query.
It isn't adapting to user input, nor even function input. Chance of injection is ~extremely low~ nil.