Comment by matsemann

It's like old school php where we used string concatenation with user input to generate queries and a whack-a-mole of trying to detect harmful strings.

So stupid, the fact that we can't distinguish between data and instructions and do the same mistakes decades later..