We all know SQL injection attacks are an ongoing problem <https://www.theregister.com/2024/03/26/fbi_cisa_sql_injection/>. What interested me about this article is this part: Software vendors have been advised to use parameterized queries with prepared statements to mitigate SQL injection vulnerabilities. According to the authorities, these allow user-input data to be separated from SQL queries and "better embody a secure by design approach" compared to input sanitization techniques. These are deployed by some vendors, but were branded "brittle" by CISA and the FBI. They said they're also difficult to deploy on a large scale and are more easily bypassed. Funny, that. Every time I post examples of how I dynamically construct SQL query strings with proper quoting of user input, I get yelled at and told to use “parameterized queries” and “prepared statements”, or even an ORM. Yet here we have the security experts saying that that is not a good solution, just like I thought all along.