Learning.
When we use sql, there is a need to escape user input or better use prepared statements to avoid injections.
Is this need underlying a flaw in the SQL language ?
Imagine I have a http server and that I put the user input directly in a binary file, are there possible injections ?
When I will need to read it again, fopen, fread, fclose and job done, no ? Still not vulnerable I guess (I don't speak about sanitization to avoid xss in the clients browser, just injection).
In the end, sql puts strings in a file too.
So what is the difference ? Is sql language weak ? Is my method at risk(s) ? Why ?
If you build an SQL command string, you should always escape the parts of it coming from user input.
Otherwise, use prepared statements.
It is not really a weakness of SQL, but a property of most turing complete interpreted languages. Code injection can -and does- happen outside of SQL (e.g. in shell scripts, PHP code, etc...)
Read also about Quine programs (and google for anti-quotations and quasi-quotations in your programming languages).