===Preventing SQL Injection===
* String concatenation to build any part of a SQL statement with user controlled data creates a SQL injection vulnerability.
* Parameterized queries are the sure fire way a guaranteed approach to prevent SQL injection.* It's not realistic to always know if a piece of data is user controlled, therefore parameterized queries should be used whenever a method/function accepts data and uses this data as part of the SQL statement.
Further Reading: [http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet SQL Injection Prevention Cheat Sheet]