+1 for suggesting placeholders/bind-values. Takes the guesswork out of how to construct a safe, valid interpolated string, and could be more efficient if the execute may be called multiple times for a given prepare. It's just a good habit too; someday there would be a temptation to interpolate something into the SQL that isn't a string literal, and at that point you start getting into potential SQL injections.