[t-writescode]

Simpler SQL injection risk and more testing to make sure all potential branching paths don’t result in invalid SQL.

[webstrand]

There's zero danger of sql injection so long as everything is being passed by parameters. You just concatenate placeholders when you need string concatenation to build the query.

[crazygringo]

Exactly this.

And if you're testing, you've got to test every query combination anyways. It's not just syntax that can be wrong, but logic and performance.