Using concatenated literals is not recommended as it is far more susceptible to SQL injection, forces the database to re-parse the SQL, etc.

We should use DuckDB's prepare and execute methods with parameter binding to improve security as well as performance of these queries.