@boomzilla said:
I am saddened. I had just come to the conclusion that you were just trolling us. Your solution isn't the better solution. The better solution is to start switching stuff over to using parameters. That's better because it's actually easier than whatever you were thinking and it would actually work, like, all the time.
It is better than what they have (and I don't even know that because the code that executes the query wasn't provided). Why can't both be done? Mitigate the risk, then work on improving it? Maybe this application is in maintenance and there's no need to improve it because its replacement is in development.