[Groxx]

Which is why you sanitize input. Which every sql-communicating system must eventually do somewhere - this is no different.

Besides, that's just an example snippet.

[Zr40]

If you sanitize input, it implies you're inserting the input into an execution environment. If possible, it's better to treat data as data.

In the Javascript eval case, it's definitely possible; just access the data through a variable instead of inserting it into the eval'ed code.