[thephyber]

That's not what "trivial" means. Trivial means the simplest possible example, which in almost every web framework involves passing input as received to the DB driver without knowing its contents and without escaping/sanitizing it.

Only by using frameworks and DB drivers correctly (RTFM) is one able to accurately avoid SQLi. I would argue that "using software correctly" is by no means trivial and rarely happens in most systems that have less than NASA quality safeguards.

I would agree that most modern frameworks which are adopted by at least a few hundred developers tend to use best practices and a "security by default" mindset, but that's far from saying that "avoiding SQLi is trivial".