Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?

Question

I realize that parameterized SQL queries is the optimal way to sanitize user input when building queries that contain user input, but I\'m wondering what is wrong with takin

Answer 1

If you have parameterised queries available you should be using them at all times. All it takes is for one query to slip through the net and your DB is at risk.