SQL Injection - Best Practices

This was brought to my attention as being bad practice. I could easily move this to a named query, and have no issue or problem doing that; but I think named queries have a time and place. If I am using a query only 1 time for a singular purpose, I generally like to have it in the table local.

Does this open the door (as my criticism suggests) to any sort of SQL injection? Does the table component have any sort of security that would prevent external string manipulation for variables 'query'

I absolutely want to follow best practice, but I also like having some things the way that I have them. Am I in the wrong here?

Since you're not using any kind of string formatting to build your query (you're not) then you're fine, no SQL injection risk. The prep variants of the SQL query functions are 'safe' against SQL injection (for parameters) as long as you're not opening your own hole by accepting user input into the actual query body.


thank you for the feedback!

Tip: post code, not pictures of code, so we can copy it into our answers and edit it. Use the </> button to format it as code to preserve indents and apply syntax highlighting.