Completey agree, and in fact, I consider myself already bitten by it because of the time spent debugging why my arrays wouldn't unserialize.  The query in question has been reworked so that it uses placeholders throughout.
<br><br><div><span class="gmail_quote">On 9/4/07, <b class="gmail_sendername">Karoly Negyesi</b> &lt;<a href="mailto:karoly@negyesi.net">karoly@negyesi.net</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
&gt; I should&#39;ve looked deeper into the code .. it&#39;s a very complex query that<br>is dynamically generated, and it looks as though the constructed values<br>string is plugged in directly rather than using %s substitution.&nbsp;&nbsp;That
<br>explains it, I guess.<br><br>This is an extremely bad practice and you will be biten by it. Though core does similar at a few places wherever I have encountered such, I added a comment why it&#39;s safe -- usually because it&#39;s an integer retrieved from the database. Complex stuff should never go without a placeholder.
<br></blockquote></div><br>