Comment Pit of Failure vs Pit of Success (Score 1) 335
When I started using SQL (late 80s / early 90s), parameterized SQL was pretty much the only way to go. I did actually figure out how to execute an arbitrary string of SQL and capture the resulting columns, whose names and data types couldn't be known until runtime. But it was a royal pain, and I doubt most people would have been that persistent - if at all possible, they'd have stuck with the easy way, which involved using SQL parameters.
Fast-forward through a few decades of "advancement" in tools, and now it's trivial to execute a string of arbitrary SQL (just begging for SQL injection), and SQL parameters are this strange thing that people may have heard of, but they're hard to use and they seem like more trouble than they're worth. So far too many people just do it the easy (i.e. INSECURE) way!