[Pxtl]

Honestly, I find it's bad tools. Every database lib I've worked with tried to bully you into using prepared/compiled queries or full ORM queries, but occasionally you still have to break out and smash strings together to build queries.

And when that happens? You can't help but notice that nobody provides you with a simple "EscapeSql" function you can use, so I always have to roll my own (or do horrible things with dynamically constructing the parametrized query and the parameter array in parralel).

I wouldn't be surprised if many developers just throw up their hands and skip sanitizing.