@xocolatl @emacsen Well after having slept on it: SQL usage could also just separate data from code cleanly and get a nice subset that's just data, then get a clean way to separate between the two.

Like how JavaScript (code) got JSON (data) with a dedicated parser instead of eval or code concatenation, which allows to pass external data including wild ones like text in a way that's nearly always going to be safe, even if your JSON encoder screwed up and forgot to escape some characters (where then it's either extra variables or a syntax error, not code injection).