[hultner]

I was thinking the same thing, and does people really still build SQL-strings programmatically in the server application?

Seems like this bad practice should be dead by now, not only does it open up for injection attacks but it also prevents the database from optimizing the query by precompiling, data aggregation and building smarter execution plans.

[rbritton]

It happens a lot in junk WordPress plugins. Even with built-in support for doing it better [1], far too many just use straight concatenation.

[1]: https://developer.wordpress.org/reference/classes/wpdb/prepa...

[collyw]

It should be dead by now, but I had to a move a website done by an agency to a new server. I don't really code PHP, but could see that it was full of concatenated SQL strings.