It's amazing how many SQL Injection vulnerabilities I see in brand new code. At least with an ORM, this is abstracted away unless you try extremely hard to create such a vulnerability.
Parameterized queries are a thing in every popular driver in every popular language (except Lua). It's been quite a while since I saw a tutorial using string concatenation.
Thank heaven those dark days of horrible PHP/MySQL SQL injection tutorials everywhere came to a close.
For the record, I've seen SQL injection attacks in ORMs too, though far more rarely than the "100 separate queries to render this web page" insanity that avoiding SQL knowledge inevitably brings.
Heh, I remember lots of "100 separate queries to render this web page" insanity with doing some CMS work ages ago (actually 200+ was sometimes common). Only thing was it didn't have an ORM either :)
Someone will probably correctly guess which one it was...
