You can teach them. Everyone does this in the beginning, even you. If this type of code makes it into production, it's the senior folks fault; not the junior.
Edit:
One of the things that I have done is I personally have taken to pro-actively asking people to review my code (including the juniors) before a release. The code gets reviewed, the junior folks see it as a learning experience, people lose the fear of code review as a punishment, and they start doing the same thing.
What you are describing as "Inline SQL" should really be called "string concatenation without parameterization," and you don't have to do that to use a Micro ORM safely.
Consider this Dapper example:
string sql = "SELECT * from user_profile WHERE FirstName LIKE @name;";
var result = connection.Query<Profile>(sql, new {name = "%"+name+"%"});
It's fully parameterized, even though string concatenation is taking place. See the @ sign?
Or this example:
var dog = connection.Query<Dog>("select Age = @Age, Id = @Id",
new { Age = (int?)null, Id = guid });
which is roughly equivalent to the following ADO.NET code:
List<Dog> dog = new List<Dog>();
using(var cmd = connection.CreateCommand()) {
cmd.CommandText = "select Age = @Age, Id = @Id";
cmd.Parameters.AddWithValue("Age", DBNull.Value);
cmd.Parameters.AddWithValue("Id", guid);
using(var reader = cmd.ExecuteReader()) {
while(reader.Read()) {
int age = reader.ReadInt32("Age");
int id = reader.ReadInt32("Id");
dog.Add(new Dog { Age = age, Id = id });
}
}
}
If you need more flexibility than this, Dapper provides SQL Templates and an AddDynamicParms()
function. All SQL Injection safe.
So why use SQL strings in the first place?
Well, for the same reasons you would use custom SQL in any other ORM. Maybe the ORM is code-generating sub-optimal SQL, and you need to optimize it. Maybe you want to do something that is difficult to do in the ORM natively, like UNIONs. Or, maybe you simply want to avoid the complexity of generating all those proxy classes.
If you really don't want to write a SQL string for every CRUD method in Dapper (who does?), you can use this library:
https://github.com/ericdc1/Dapper.SimpleCRUD/
That will get you extremely simple and straightforward CRUD, while still giving you the flexibility of hand-written SQL statements. Remember, the ADO.NET example above was the way everyone did it before ORM's came along; Dapper is just a thin veneer over that.
Best Answer
In layman's words:
These are things that SQL is made to do and, believe it or not, I've seen done in code:
Doing these things instead of relying in SQL or the RDBMS leads to writing tons of code with no added value, meaning more code to debug and maintain. And it dangerously assumes the database will only be accessed via the application.