The problem isn't so much concatenation, as it is, concatenation based on dynamic (e.g user-submitted) input. In some (admittedly rare cases), it's hard to avoid concatenation since not every part of an SQL query can be parameterized, such as table names.
(Fun "fact", I vaguely remember that, once upon a time, even things like parameters in limit/offsets weren't universally supported. Also, and correct me if I'm wrong, first class support for arrays (e.g., via any($1)) is relatively new).
(Fun "fact", I vaguely remember that, once upon a time, even things like parameters in limit/offsets weren't universally supported. Also, and correct me if I'm wrong, first class support for arrays (e.g., via any($1)) is relatively new).