Hacker News new | ask | show | jobs
by webstrand 273 days ago
There's zero danger of sql injection so long as everything is being passed by parameters. You just concatenate placeholders when you need string concatenation to build the query.
1 comments
crazygringo 273 days ago
Exactly this.

And if you're testing, you've got to test every query combination anyways. It's not just syntax that can be wrong, but logic and performance.

link