[zyxley]

What happens when you have to deal with a crazy pop star with a " in his (real, legal, you-are-the-unreasonable-one-for-demanding-something-else) name? (This is ignoring the myriad of issues that come with parameterizing names into "first name" and "last name" in the first place, but that's a separate thing.)

This is what binding variables is for, but to use them you're either writing for specific platforms (PSQL, Oracle SQL, etc), or you're using middleware that hides the raw SQL from you.

[vinceguidry]

This is a problem with the string domain, not with SQL. You'd have it no matter what data persistence method you use. The answer is to put logic between that function and your form data puller.