a simple question I wasn't able to get a clear answer on.... It is general best practice to use prepared statements and parameters rather than concatenated strings to build sql statements as mitigation against SQL injection. However, in some databases I've used, there is also a performance advantage. For example, the planner may be able to more easily recognise a statement and reuse an existing plan rather than re-planning the query. I wasn't sure what the situation is with postgres - is there a performance benefit in using prepared statements over a query string where the values are just concatenated into the string? thanks, Tim -- Tim Cross
