Not a huge project but has some users, and I still try to work on it to get the typings (TypeScript) where I want them.
Prepared statements are not in common use...? They must be talking about C language code I guess. How do C developers sanitize input?
So the high-level query function for the library was a variadic function that took a prepared statement-like string using unquoted literal `?' for parameters, and much like printf a very simple switch statement machine would iterate the query string and insert parameters itself, ensuring that quoting happened properly. (I forget how integers were handled; possibly with `#', or maybe some macro and type introspection hacks.) This way you could grep all lines where the query routine was invoked and verify that ? was in use. If ? was used, then clearly the developer was at least paying attention. Someone would have to go out of their way to use ? for some parameters, but manually and directly insert other parameters. Not an insurmountable barrier, but a tall one nonetheless for people even remotely conscious of security. The few places where ? wasn't used would standout and could more easily be reviewed.
Admittedly, this wasn't a complete solution, and normally I avoid stringy types and free-form string processing entirely when programming in C. But most uses of the library occurred from Lua via C bindings. You couldn't directly invoke a C variadic function from Lua, so Lua code actually called a query function that reimplemented that API, reusing the same low-level string escaping routine.
There were plans to build out the binary protocol in Trilogy as well, it just hadn't been wrapped up by the time it was made open source. And if I recall, that branch fell pretty far behind. Maybe now that it is OSS, someone can contribute that :)
