[thornygreb]

Because if you use the input parameters correctly they are immune to injection.

If you concatenate unsanitized input you are susceptible no matter where you write the SQL.

[spacemanmatt]

I get that. That is exactly the same condition as sanitizing inputs in every other context of passing parameters to a service/proc/func. I would not phrase immunity to injection conditionally; there is no immunity, only sanitizing inputs.

[mateuszf]

Though that's also true if it's done application-server side.

[spacemanmatt]

Yup. Examples: value stored in a table is concatenated into a query without escapement, leaving it vulnerable to injection. Whose job was it to ensure the DB contained clean data? My policy has been to call quote_identifier or quote_literal (PostgreSQL) where applicable, or use typecasts to enforce value literals.