I move that whenever a programmer makes an error that enables an SQL injection attack, they should be unconditionally fired.
I make this motion because I believe it is as simple as this:
# immune $sth = $dbh->prepare('SELECT * FROM x WHERE y=?'); $sth->execute($untrusted);
# pointlessly vulnerable $sth = $dbh->prepare("SELECT * FROM x WHERE y=$untrusted"); $sth->execute();
Further, I believe that the same distinction is possible in any of the popular SQL APIs (for different languages than Perl, i.e.). It is not onerous to make injection-immune code by following a trivial style guide.
There are so many sublime bugs (i.e., mysql authentication vulnerability) in this world that are difficult to anticipate and would require an onerous application of a detailed style guide to reliably avoid. But SQL injection attacks are not in that class.
Fire them. And while we're at it, we should impeach Paul Vixie.