Simpler SQL injection risk and more testing to make sure all potential branching paths don’t result in invalid SQL.

There's zero danger of sql injection so long as everything is being passed by parameters. You just concatenate placeholders when you need string concatenation to build the query.

	▲	crazygringo 3 days ago \| parent [-]
		Exactly this. And if you're testing, you've got to test every query combination anyways. It's not just syntax that can be wrong, but logic and performance.