the most effective and easy method is to bind parameters to an sql statement, in stead of concatenating values into an sql string.
In JDBC, this is done using a PreparedStatement.
Not necessarily, SQL injection is about validating input parameters. For example, any SQL query that takes no input parameters is immune to SQL injection.
I'm assuming you mean the "salted hash" mechanism for protecting data? This isn't really a SQL injection defence (that article, despite its title, is about more than just SQL injection), this is more an extra restriction on sensative data, and the paragraph you mention summarises it quite succinctly.