Rather than having a full ORM, a SQL system that didn't put in variables by embedding strings would be useful. You can almost do this. SQL has variables, but they're more persistent than needed for this.
SELECT a,b,c FROM tab WHERE a=@mysearchkey;
An API should look something like
result = sql->command("SELECT a,b,c FROM tab WHERE a=@mysearchkey;",
{"@mysearchkey": val })
and the result should be a key/value form. In some languages, you might get a
typed structure back. No more string escapes. No more forgetting the string escapes.
If you required that the command had to be a constant, SQL injection attacks would be a thing of the past.
Almost every single native RDBMS API provides parameterized queries / prepared statements where the parameters are sent separately from the query text. Here's one from MySQL:
String escapes should have been dead a few decades ago -- I don't think any modern platform requires it; they all support parameterized queries natively.
