Re: SQL injection

Can some knowledgeable person set the record straight on SQL injection,
please?  I thought that the simple answer was to use prepared statements
with bind variables (except when you are letting the user specify whole
chunks of SQL, ugh), but there are many people posting who either don't
know about prepared statements or know something I don't.

Thanks,
Kevin Murphy

P.S.  I don't use PHP, but google informs me that PHP definitely has
prepared statement options: PEAR::DB, PDO in 5.X+, etc.