Execute raw SQL when you need full control.
Always use parameterized queries to prevent SQL injection. Never concatenate user input directly into SQL strings.