It is not clear to me by looking at the source code if the method
public Sql Append(string sql, params object[] args) in the NPOCO library prevents SQL injection.
For simplicity(my query is more complex than this), given the following example, with filter being a param passed by the client:
var sql = new Sql();
sql.Append("SELECT * FROM Request WHERE [Company] LIKE @0", $"%{filter}%");
Is this code prone to SQL injection?
SqlBuilsder.AddTemplate code takes in this exact same kind of sql string. I then followed through the Fetch code in NPoco. In the end you end up with a parameterized query such as `DECLARE @0 Int = '4' DECLARE @1 NVarChar = '%bad sql%' OR 1=1 --%'
SELECT BLAH WHERE Something = @0 AND SomethingElse = @1`
Which will break on the sql injection and thus returns NULL.
A good way to test your fears is to download NPOCO and just add it to your solution...refer to it rather than a nuget and step through the code to see the final result.