And dialect differences aside, depending on the underlying database's implementation data passed by placeholders may never be seen by the SQL parser making it that much harder for people to attempt XSS attacks (if it's not passed through the SQL parser then the black hat doesn't even get an opening to play What's my quoting mechanism?)