[ForbesLindesay]

No, the point is that people do write code that is unsafe. A cursory glance at recent stack overflow questions tagged with "node.js" and "sql" shows many questions and answers with SQL Injection vulnerabilities.

By providing an API that makes it virtually impossible to create an SQL Injection vulnerability, we can allow novices to write code safely. Once you know what the `sql` tag is doing, it's really easy to review the code and be confident it isn't vulnerable.

[mcv]

Until you accidentally leave out that `sql` tag. Or will that now generate an error?

[ForbesLindesay]

Yes, as it says in the article. The tag returns a class that's an instance of SQLQuery. All the @databases clients only accept SQLQuery instances and don't accept strings. This means you get a runtime error if you're using JavaScript, and a type error at build time if you're using TypeScript.

[spion]

It will, since the object returned by the tag is not a string.