In all languages ​​that have an eval function , it is possible to inject anything through it. And if in SQL it is still possible to somehow solve this problem with the help of proper character escaping, then in Turing-complete languages ​​it is theoretically possible to distinguish between malicious code that is safe in only one way: by executing it in the same environment and with the same input data as in real conditions.
Therefore, by the majority of coding conventions _{(by the way, how would it be in Russian?)} , the use of eval is completely prohibited. Code review in most large companies and large open-source projects will wrap up any pull-request in which eval is found, and after that, most likely, will not even consider subsequent requests from the same author.
Many antiviruses also have a heuristic analyzer designed to search for eval in scripts (turns on after the language is defined).

The presence or SQL Injection does not depend on the language, this vulnerability belongs to the category of "implementation errors" - when the developer forgot about the rule "do not trust any data coming from outside, check everything."
Read this article https://habrahabr.ru/post/148151/ , a general understanding of mechanics will come.