If you would read the original requirement of the question, than you would recognize, that you have the same vulnerability in the procedure. In both cases you have to avoid that with the corresponding mechanism as mentioned. Using a prepared/parametrized statement would of course avoid that (but again question was different). So I cannot really agree with you.
↧