How is SQL Injection real?

What kind of a backwards language do you have to use that doesn't have the simple feature of protecting you from it out of the box? Are you building you queries by concatenating strings like a CS freshman?

>>12
do string concatenation for the SQL query but only insert source level constants

table_names = {'users': 'users'}
table_name = table_names.get(user_input)
if table_name:
query("select * from " + table_name)