We make a first attempt at a database library. It hides potentially-complex SQL queries behind nice names, using simple SQL substitution to insert dynamic query parameters. Unfortunately, the ghost of the 1990s stings us and we end up with a framework-wide SQL injection vulnerability.