You might want to consider use an elsif statement, to screen out attempts to inject SQL components. Those people that try SQL injection are best kept away. Update: I was thinking combination of characters. Your right though below. There probably wouldn't be any cases where placeholders is not the best option.