Choosing the safe approach for user input

A pipeline accepts a product name from user configuration to filter a SQL query. Your colleague suggests two approaches:

Approach A uses params (Jinja rendering):

SQLExecuteQueryOperator(
    sql="SELECT * FROM orders WHERE product = '{{ params.product }}'",
    params={"product": user_input},
)

Approach B uses parameters (DB-level binding):

SQLExecuteQueryOperator(
    sql="SELECT * FROM orders WHERE product = $product",
    parameters={"product": user_input},
)

Which approach is injection-safe when the product name comes from untrusted user input?