in reply to Preventing SQL injection attacks: are -T and placeholders not enough?

This may be stating the obvious, but placeholders are only guaranteed effective when the SQL itself is completely static or, at the very least, is assembled from components that are themselves completely static - that is, no user-supplied data enters the SQL string itself in any way.

I bring this up because there may be situations where some portion of the statement (for ex. a column name) needs to be dynamically determined based on inputs. Such situations definitely require extra care. Also, it helps to emphasize the contrast with certain technologies (*cough* PL/SQL *cough*) that have less than full support for placeholders :)