Porsager’s Postgres package does a great job of letting you feel like you’re writing raw sql, but avoids the attack vectors.

Anyway, I agree that ORMs are pretty terrible. I like writing SQL or using a lightweight builder like Kysely. Was a huge Dapper fan back in my C# days.

There are plenty of reasonable alternatives to ORMs that don’t open you to SQL injection attacks.