> > Use a prepared statement. Dynamically constructing SQL is a serious
> > security loophole and a performance dog.
> >
> > I am not certain of the syntax for your language, but here it is in
> > Java. It is similar in Delphi.
>
> Thanks for the FUD.

Not FUD at all.

Security Loophole:

Dynamically constructing SQL statements is risky if you allow an
arbitrary string to be inserted into an SQL statement. Of course, if
you remember to deal with any escape character they type into the
string, it won't be an issue but parameters are simply a lot easier to
use.

Performance Dog:

Every time the SQL is adjusted, the PLAN is discarded. With
paramatised queries, the PLAN can be kept and the values changed. In
some cases, the prepare time is quite significant.

This is not language specific, but just as much a risk if you use
Delphi, C#, Java, VB or any other language you care to name.

Adam