SQLInjection attack has solution in "parameterized queries" replacing external values with parameters. But I am not aware of the cons it brings along. If at all there are any then It will be a great help. :)
It is always a good idea to apply all the techniques we know to prevent injection. The "pros" of paramtized queries are primarily avoiding "OR 1=1" and other common SQL injections: you force the database to interpret everything that comes within the bound variables as data and not as SQL instructions. Thus it becomes very difficult for - say- me, if I have bad intentions, to drop one of your tables.
The "cons" of parametized SQL are mainly related to the fact that you don't have the flexibility you were used to (you can't make two queries at the same time, with two while loops, the second using or trying to use a parameter obtained with the first call, without some adjustments, in MySQLi, for instance. Examples of the problems you may find when switching are as in Nested looping with mysqli and fetch_object, or as stated here). This is not a good reason to avoid switching to a safer programming, and I think it also prevents some bad habits one may have acquired with the so-called "vanilla programming" (as for me, I had acquired some), but, as the other person answering this question points out, there are workarounds to solve that as well. I am not aware of other cons, maybe because there aren't any.
You could also refer to related questions on SO, such as Are Parameters really enough to prevent Sql injections? and many more. I am not sure that this isn't a duplicate, but am replying all the same to try to clear your doubts.