"They don't exist, if you don't construct SQL queries by concatenating strings and variables."
My point is, people still do this. You never hear about REST-injection or memcached-injection attacks, even though those are possible in principle, because those protocols don't encourage this mistake the way using SQL as a database API does.
I don't know about MySQL, but my database caches compiled queries.
"Things like SQL injection attacks simply should not exist."
They don't exist, if you don't construct SQL queries by concatenating strings and variables.
Meanwhile, all the cool kids are talking about getting rid of procedural code in favor of declarative DSLs...