That’s… not parameterization the way most people understand it. It’s text templating, which is different and fraught with risk as the OP discovered.<p>For comparison: the Microsoft SQL client code will <i>not</i> substitute an escaped version of the query parameters into the query text! It sends the query with the named placeholders first, and then the parameter values encoded <i>separately</i> so that there’s zero risk of this kind of thing happening.<p>Also, this makes it trivial for the database engine to cache each query independently of the specific query parameter values.