We are taking some data from an XML file and inserting it into a database, following this example: Workflow - Import XML Data into MS SQL Database (more or less).
However, this allows for SQL Injection, which is Bad™. We have added a SearchAndReplace action to escape single quotes (
'). However, to do this at the most sensible moment means doing it for a dozen or so variables. Besides, the proper way to prevent SQL injection is to use prepared statements anyway.
How do we use prepared statements?