[devinl]

Prepared statements tend to be the best answer for most cases which is similar to the approach you describe but is natively supported by most SQL dialects and also improves performance.

In my experience, many developers and even experienced security engineers can fail to give this answer though.

[SilasX]

That's only relevant to know if you're actually implementing the piece that takes raw input and builds a query out of it, and most devs don't work with that piece on a day-to-day basis.

Knowing that you need to use a framework that takes care of input sanitizing is enough for the typical dev.

Edit: Expecting "prepared statements" as "the" answer seems close to making it a trivia question rather than "sufficient understand for doing the job" question.