PHP: Prepared statements (newbie), just need to confirm this about SQL injection

I have long used the mysql_que开发者_开发问答ry() to do my stuff but now I am shifting to prepared statements for two reasons:

performance and no sql injection possibility

This is how I am using it:

function add_new_user($e_mail1,$username,$pass)
    {
    require_once "db.php";

$stmt = $mysqli->prepare("INSERT INTO un_users VALUES ('',?, ?,0,0,?,0)");
$stmt->bind_param('sss', $e_mail1, $username,$pass); 

$stmt->execute();    
$stmt->close();
    }

I am not sanitizing the three variables ($e_mail1,$username,$pass) when i pass them to the function or anything else.

Am I doing it the correct way or did I screw up somewhere or need to do something else? I'm a newbie with this (still going through the docs) so feel free to shower your knowledge :D

Thanks!

Yes, you are doing it correctly.