SQL injection: isn't replace(“'”, “''”) good enough?

Question

While I can certainly see the advantages of using parameters for SQL queries, especially when dealing with datetimes and things like that, I\'m still unsure about parameters

Answer 1

If the user only needs read only access to the data then have the UI execute via a SQL user that only has read only access. Read only does not protect you from injection attacks - they can use it to view data you did not intend them to view but they cannot use injection to delete data.