Comment by tcdent

Just keep in mind best practice is to use the built-in parameter interpolation that comes with your db library, since it handles escaping SQL injection for you.

Be very careful if you ever use bare string formatting to construct your queries.