[crazygringo]

What's wrong with string concatenation?

[whatevaa]

Guaranteed source of bugs in complex cases.

[crazygringo]

More complex cases are more likely to have bugs period, just in their logic.

String concatenation isn't really a major source of that. Just make sure your parentheses match, as you need to do no matter what, and include a space at the start and end of each string to make sure you don't accidentally smush terms together likethis.

[t-writescode]

Simpler SQL injection risk and more testing to make sure all potential branching paths don’t result in invalid SQL.

[webstrand]

There's zero danger of sql injection so long as everything is being passed by parameters. You just concatenate placeholders when you need string concatenation to build the query.

[crazygringo]

Exactly this.

And if you're testing, you've got to test every query combination anyways. It's not just syntax that can be wrong, but logic and performance.