6.1 Use Bind Arguments
As you have seen with all the examples presented so far in this tutorial, the common flaw of all code vulnerable to SQL injection is the construction of dynamic SQL using string concatenation. Complete immunity from SQL injection attack can only be achieved through the elimination of input string concatenation in dynamic SQL.
Avoid input string concatenation. Use bind arguments, whether automatically via static SQL or explicitly via dynamic SQL statements.
 |
Design your code to use bind arguments wherever possible. The only exceptions should be when you need to concatenate identifiers or keywords because you have no other choice. See lesson 3 and lesson 4 for more on the use of bind arguments. |