Just to add another reference: http://xkcd.com/327/

>The other advantage is that parameters prevent SQL Injection. The concatenated examples in this thread are all wide open to injection if a hacker can sneak a quote character into the parameter followed by their own SQL command that could be a SELECT * to steal your customer list or a DROP if they are malicious. You can write code to watch for quotes and other injection attempts, but using parameters makes it a complete non-event.
>
>FWIW for those who have not encountered SQL Injection, here's a simple example of concatenated SQL:
>

"SELECT * FROM members WHERE username = "'+lcusername+"'"

>If the hacker can enter their username as bob'; DROP table members; -- then the SQL becomes
>

SELECT * FROM members WHERE username='bob'; DROP table members; --'

>and you get the idea. yes you can write code to prevent use of quote characters etc but this cannot occur at all if you use parameters.