A parameterized query doesn’t actually do string replacement. If you use string substitution, then the SQL engine actually sees a query that looks like
SELECT * FROM mytable WHERE user="wayne"
If you use a ? parameter, then the SQL engine sees a query that looks like
SELECT * FROM mytable WHERE user=<some value>
Which means that before it even sees the string “wayne”, it can fully parse the query and understand, generally, what the query does. It sticks “wayne” into its own representation of the query, not the SQL string that describes the query. Thus, SQL injection is impossible, since we’ve already passed the SQL stage of the process.
(The above is generalized, but it more or less conveys the idea.)