SQL injection: isn't replace(“'”, “''”) good enough?

Question

While I can certainly see the advantages of using parameters for SQL queries, especially when dealing with datetimes and things like that, I\'m still unsure about parameters

Answer 1

I think you're getting an answer on the way as to why it isn't enough, but you also run into the problem of somebody forgetting to do a replace on a string. If you 'always' use parameters, this is less of an issue.