[afhof]

The language. Really the problem with SQL is the API. I like having a relational database, but SQL strings are a really crummy way of writing to it.

[vinceguidry]

What's so crummy about variable interpolation?

    def insert_person(first_name, last_name)
      sql.query("insert into persons values(#{first_name}, #{last_name})")
    end

So long as you're not plugging form data directly into that function, that works just fine.

[zyxley]

What happens when you have to deal with a crazy pop star with a " in his (real, legal, you-are-the-unreasonable-one-for-demanding-something-else) name? (This is ignoring the myriad of issues that come with parameterizing names into "first name" and "last name" in the first place, but that's a separate thing.)

This is what binding variables is for, but to use them you're either writing for specific platforms (PSQL, Oracle SQL, etc), or you're using middleware that hides the raw SQL from you.

[vinceguidry]

This is a problem with the string domain, not with SQL. You'd have it no matter what data persistence method you use. The answer is to put logic between that function and your form data puller.

[nathancahill]

Then don't use SQL strings? There are many, many ORMs that abstract SQL strings to objects and relations.