Since there is no user input involved here and the strings are all constant, there is no risk of SQL injection and no need to use bound parameters in this case.