Chris Angelico wrote: > On Fri, Mar 18, 2016 at 10:17 AM, Thomas 'PointedEars' Lahn > <pointede...@web.de> wrote: >> Daniel Wilcox wrote: >>> Cool thanks, highly recommended to use an ORM to deter easy SQL >>> injections. >> >> That is to crack a nut with a sledgehammer. SQL injection can be easily >> and more efficiently prevented with prepared statements. While an >> Object-Relational Mapper (ORM) can use those, and there are benefits to >> using an ORM, avoiding SQL injection should not be the primary reason to >> use an ORM. In fact, using an ORM is often not only overkill, but >> effectively *reduces* application performance. > > You don't even need prepared statements. All you need is parameterized > queries.
A prepared statement in this context uses a parameterized query. <https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29> -- PointedEars Twitter: @PointedEars2 Please do not cc me. / Bitte keine Kopien per E-Mail. -- https://mail.python.org/mailman/listinfo/python-list
