SQL injection: isn't replace(“'”, “''”) good enough?

Question

While I can certainly see the advantages of using parameters for SQL queries, especially when dealing with datetimes and things like that, I\'m still unsure about parameters

Answer 1

Use a procedure.

Convert the statement to static SQL, placing the value of parameter into a local variable.

This does help !