Why replace() is not considered a SQL injection vector

[EduardoThums]

Hi,

There's a strange behavior when scanning the code for SQL injections that I couldn't figure out why:

The replace() method in the string variables doesn't trigger the SQL injection warning, but some other string concatenations techniques like f-string do.

There's an explanation about why?

Example: playground.txt

[costaparas]

This is a great find!

str.replace can be just as dangerous as str.format.

In my view, they should both be considered equally by the test.

See PR #1044

[costaparas]

There are also other more convoluted ways in which to construct a string that can be prone to SQL injection, e.g. str.join. It might not be so productive to extend the tool to support such cases, but I wouldn't be surprised if someone has tried to use join in the past to build up a dangerous query.