You say: Interpolating user-supplied data into SQL statements is a problematic thing and best avoided.

No. He says: User data may, maliciously or accidentally, including programmer error, be problematic and must be sanitised.

Regards,

John Davies