The use of placeholders is absolutely vital when using SQL, especially in a web-site where the inputs can never be fully trusted.   The placeholders, an un-quoted question mark (therefore, not a literal-string), represent places where consecutive values from a separately-supplied list will be inserted.   In this way, it is impossible for any of the data to be misinterpreted (that is, “injected”) as part of the SQL statement itself.   Nor can there ever be any question about where each value begins or ends.   The data-type of each parameter in the list is independently known and does not have to be, nor converted to, a character-string.   (At least, not by you.)   Furthermore, this might (or might not) also solve your character-encoding concern:   the SQL string is one “thing,” and each parameter is another, such that never the twain shall meet.   It’s very clean and black-box-ish:   “here’s the SQL string, and here’s a rag-tag bag of parameters I want to use with it; now, go do it.”