I'd argue that Python generators should be in this list too. They are like a genie that can generate a rock sample on the fly without having to store the rocks in a big box.

An attacker might supply a malicious value such as 0; DROP TABLE Patients, with disastrous results.

Though I agree that you shouldn't concatenate user input into dynamic SQL, this classic SQL attack wouldn't work in IRIS as it doesn't allow you to run more than one command in a single execution.

You can try it yourself, you will see that when you %Prepare your query that has "0; DROP TABLE XYZ" then IRIS will throw an error that says:

ERROR #5540: SQLCODE: -25 Message:  Input (;) encountered after end of query^ SELECT ...