just spent the last 3 hours dealing with a stupid sql injection vulnerability because our dev team decided to just use a plain old string interpolation in a critical query. yeah, that's gonna end well.