This is a pragmatic piece of Fowler on the rather dry topic of Object-relational mappings - in short, the attempt to marry an object-oriented code base with a relational data base.
Usually you’d get enough early success to commit deeply to the framework and only after a while did you realize you were in a quagmire - this is where I sympathize greatly with Ted Neward’s famous quote that object-relational mapping is the Vietnam of Computer Science
What Fowler refers to here, is Ted Neward’s article “The Vietnam Of Computer Science”
You don’t need ORMs to prevent SQL injection. Prepared statements have existed for decades.
That’s what I thought too: https://programming.dev/comment/22854391
But it seems to be possible to still do them wrong.
If you don’t use the parameter functionality of prepared statements, yeah. That also means you don’t use a prepared statement, you construct varying sql strings and prepare varying “prepared” statements.