I have a simple query that is being marked as SQL Injection by SAST analyzer:

String sql = String.format("SELECT name, age, job_code, category FROM EMPLOYEES " +
" WHERE job_code = '%s' AND job_code = '%s%s'", jobCode, jobLevel, role);
...
PreparedStatement stmt = conn.prepareStatement(sql);
ResultSet rs = stmt.executeQuery();

I know that I can avoid SQLInject by using binding parameters like:

stmt.setString(1, jobCode);
stmt.setString(2, jobLevel);
stmt.setString(3, role);

Will be necessary use single quotes to generate correct value for job_code = '%s%s'"?