Normally there’s a separation between raw SQL and commands being issued by the UI to avoid what you’re describing (SQL Injection).
For example, the UI might call /posts/new with a JSON body describing the new post, this might look like,
NewPost {
title: String,
body: String,
author: UserId
}
The Lemmy server then going to receive that “message” from the UI and use it to execute something like
INSERT INTO posts SET title='my post' body='thoughts and stuff, I dunno' author_id='my user id'
This is fine.
What’s actually the problem is if you do something more complex, like if the UI queries for all posts by a set of authors where the time they were submitted was between some specific date range with contents matching blah blah blah and some other criteria. Make a the right query and you might hit a situation where the database behind the Lemmy server doesn’t have the data organized (think, like, a library; how things are organized by author name, or book title) in a way that makes finding matching results an easy thing to do; and instead the database need to look over every. single. post. multiple times to gather up the right results.
Now do this 1000s of times in quick succession.
Ah, this explains why I can’t ask Siri for the weather forecast anymore.
Now I have to go outside to find out. Fine.