But this is not a language issue but some educational problem, it depends on luck if you land on some bad book or tutorial. If the language offers performance it must give me access to unsafe stuff like run raw SQL.
Of course. I am trying to find it now, but I recently used a sqlite library where, barring bugs in escaping, there were no way to execute SQL queries in the "simple API" with strings that were not compile time constants. A dynamically generated string would be refused with a clear error message pointing to the correct part of the manual.
The raw queries were hidden in a sqlite3/DANGEROUS library. Despite doing things like stepping queries, bypassing the statement cache or mucking around and changing parameterized queries I didn't have to touch the DANGEROUS API.
