[rsynnott]

> I can guarantee there’s a sql injection issue somewhere.

This class of sql injection issues can be eliminated by simply enforcing that all queries are string literals.

[twodave]

I'd amend to this "... or composed of local string literals". Programmatically-generated SQL can be advantageous in terms of maintenance, readability and even performance, depending on the situation.

[tehjoker]

Concur. Adding parameters to a query is what a "bind" is for.