Fully Inverted — Now a Known Anti-Pattern — superseded by prepared statements (2003)
Prepared statements didn't exist in most languages yet, or weren't documented in beginner tutorials. String concatenation was the only pattern developers were taught.
In 1998, every PHP tutorial, every ASP getting-started guide, and every ColdFusion manual taught SQL query construction through string concatenation. This was not a shortcut — it was the documented, official approach.
The PHP Manual showed mysql_query("SELECT * FROM users WHERE name = '" . $name . "'") as the standard pattern. Microsoft's ASP documentation showed the same with & concatenation. Sun's J2EE tutorial used Statement with + concatenation even though PreparedStatement existed in the same package.
Why it was reasonable: For most developers in 1998, the threat model was physical access to the server. "Hackers" were people who broke into buildings. The concept of input-as-attack-vector hadn't been formalized. The immediate problem was shipping a working product, and concatenation worked in every test scenario.
How it was inverted: By 2002, SQL injection had become the most exploited web vulnerability worldwide. OWASP was founded in 2001 specifically to address these patterns. The practice that every tutorial taught became the vulnerability that every scanner detected. The inversion was total — from "how you do it" to "how you get breached."