I am using the Play! framework along with Anorm to access the database. I often see examples like the following where object members are injected into the SQL statement directly.

My question is, are these inputs sanitized? Most examples look like the following:

object Person {
    def save(p:Person) {
        DB.withConnection ("default") { implicit connection =>
            SQL("""
                 INSERT INTO person(firstName,lastName)
                 values ({firstName}, {lastName})
                """
               ).on(
                "firstName" -> p.firstName,
                "lastName"  -> p.lastName
            ).executeUpdate()
        }
    }
}

I will attempt to find out by way of hacking, but it's easy to make a mistake so I thought asking was more appropriate, and I can draw on the wisdom of the crowd.

According to its source code, Anorm builds onlyjava.sql.PreparedStatements, which prevent such SQL injection. (see the PreparedStatement wikipedia page for a general explanation)