That’s… not parameterization the way most people understand it. It’s text templating, which is different and fraught with risk as the OP discovered.
For comparison: the Microsoft SQL client code will not substitute an escaped version of the query parameters into the query text! It sends the query with the named placeholders first, and then the parameter values encoded separately so that there’s zero risk of this kind of thing happening.
Also, this makes it trivial for the database engine to cache each query independently of the specific query parameter values.
alt Hacker News
That’s… not parameterization the way most people understand it. It’s text templating, which is different and fraught with risk as the OP discovered.
For comparison: the Microsoft SQL client code will not substitute an escaped version of the query parameters into the query text! It sends the query with the named placeholders first, and then the parameter values encoded separately so that there’s zero risk of this kind of thing happening.
Also, this makes it trivial for the database engine to cache each query independently of the specific query parameter values.