Yes. Never use db.SQLSelect() with anything just added to the SQL statement from the user. Always use a prepared statement. The example given was a bit misleading in that area. Being that the user is new to database programming, they may very well follow the template given w/no other changes.
Good catch @Tim Hare
Just to add a better example
Pseudo code
(Error checking excluded)
Please note that PostgreSQLPreparedStatement done not require the use of BindType as other dbs do.
[code]Dim ps as PostgreSQLPreparedStatement
Dim rs as RecordSet
ps = PostgreSQLPreparedStatement(db.Prepare(“INSERT INTO table (col1, col2) VALUES($1, $2) RETURNING id”))
ps.Bind(0, somevar1)
ps.Bind(1, somevar2)
rs = ps.SQLSelect()
[/code]