Hi Richard
If you use the create/new/all/first api (i.e. avoid raw SQL methods like find_by_sql and execute), DataMapper uses the database's own quoting functions to insert and query the database with user supplied params. So there shouldn't be any risk of SQL injection while using DM.
Regards,
Jon