> Finally - and most importantly as I've detailed above, db_odbc doesn't use > parameterisation and instead just uses string concatination, so injections > are still possible: > [https://github.com/nim-lang/Nim/blob/b6924383df63c91f0ad6baf63d0b1aa84f9329b7/lib/impure/db_odbc.nim#L194](https://github.com/nim-lang/Nim/blob/b6924383df63c91f0ad6baf63d0b1aa84f9329b7/lib/impure/db_odbc.nim#L194)
How so? And mapping values to (named) parameters is the easy stuff, often you need to generate the **query** based on some filter setting and then it's still all the same bad string based SQL construction. Many APIs do not offer to construct the SQL parse tree...
