[ohwp]

I think it's still very easy to create injectable queries. Prepared statements are a good start but people still forget to escape everything.

For example:

  prepare("SELECT name FROM users WHERE country = ? ORDER BY " + unescapedVar, country);
  

So I wonder, is there any way to force programmers into writing secure queries (by not writing queries)? Is ORM the way to go?

[Eiwatah4]

Just generally, don't write SQL queries as strings. An ORM is one option, language-level extensions another. But for that you need some good macros in your language - or convince the maintainers of your compiler to add it to the language (like Microsoft did in C#).