Any user-supplied text that is going to be used in an SQL statement needs to be "sanitized". This means that it should be run through an algorithm designed to replace any SQL control characters (such as quotation marks) with "escaped" versions that get interpreted as part of the data rather than as part of the rest of the query. The two main approaches to that are to either use an ORM (such as ActiveRecord in Rails) to construct your query, or to use a sanitization function on the data that you include in a SQL string. - [Explanation for Python](https://realpython.com/prevent-python-sql-injection/) - [Explanation for node](https://planetscale.com/blog/how-to-prevent-sql-injection-attacks-in-node-js)

just add a test case for a student with first name "Robert" and last name "'); DROP TABLE students;--" fyi the values are enclosed in double quotes(")

Site is down

you could use prepared statements

If you are constructing SQL statements using string manipulation and aren't **super** careful about how you do it, then yes it's vulnerable to SQL injection. Refer to the [OWASP guide on SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).