When I started to write the first SQL-Statements in my programs I felt quite comfortable with protecting myself against SQL-Injection with a very simple method that a colleague showed me. It replaced all single quotes with two single quotes.

So for example there is a searchfield in which you can enter a customername to search in the customertable. If you would enter

Peter's Barbershop

The SELECT Statement would look like

SELECT *
FROM Customers
WHERE Customername = 'Peter''s Barbershop'

If now an attacker would insert this:

';DROP TABLE FOO; --

The statement would look like:

SELECT *
FROM Customers
WHERE Customername = ''';DROP TABLE FOO;--'

It would not drop any table, but search the customertable for the customername ';DROP TABLE FOO;-- which, I suppose, won't be found ;-)

Now after a while of writing statements and protecting myself against SQL-Injection with this method, I read that many developers use parameterized statements, but I never read an article where "our" method was used. So definitely there is a good reason for it.

What scenarios would parameterized statements cover but our method doesn't? What are the advantages of parameterized statements compared to our method?

Thanks
Philipp