Yes you could, I suppose that wasn't a very good example - the binding parameters prevents SQL injection, as the SQL and parameters are sent to the database server separately.
You would usually be inputting submitted information by the user, so you would normally have to sanitize it, but with prepared statements you don't have to.
You would more likely use something like this for your parameters, where the variables are local copies from a global $_POST array.
PHP Code:
$params = array(
':message_id' => $user_input_string,
':temperature' => $user_input_string_two
);