Parameterized queries are therefore efficient and go a long way towards preventing SQL injection attacks in your applications. They have virtually no downside.
Newbie developers often ignore the existence of this feature and end up irritating seasoned DBAs who have to deal with the consequences of their incompetence.
And all this time I've been avoiding parameterized queries because I thought creating prepared statements was less efficient. Turns out they get cached though. Doh!
After reading these brief articles, here and here, I vow to change my ways.
