I'm using Korma behind a RESTful API, and it occurs to me that I'm passing user-submitted values through to my (insert)calls. Is there a nice way in Clojure to protect against SQL injection attacks? Korma generates SQL in a pretty straightforward way, so if somebody told me their name was little Bobby Tables, I'm fearful that it would hurt.
It's my understanding that Korma always generates parameterized SQL, at least for select and insert (I have not personally tested the others) so Little Baby Tables should be fine.
Carefully scrutinize how these values are being returned from the database. Sanitizing DB input does nothing to protect from CSRF/XSS, etc. When working with Clojure and DB <--> web interactions I use the rule that All system components must encode the data in a way that is safe for the next server in the chain, and logical constraints (like max search size) are checked upfront in ring-middleware.
Security is a cat/mouse arms race and there is no substitute for testing these things. Go ahead and put Little Baby Tables into every query and try all the combinations of encoding and multiple encoding you can think of. Demonstrating exploits can sometimes be a rather effective way to help coworkers learn to spot these things (just don't be a jerk about it)