On Sun, Mar 20, 2016 at 1:00 AM, Thomas 'PointedEars' Lahn <pointede...@web.de> wrote: > Chris Angelico wrote: > >> On Fri, Mar 18, 2016 at 10:17 AM, Thomas 'PointedEars' Lahn >> <pointede...@web.de> wrote: >>> Daniel Wilcox wrote: >>>> Cool thanks, highly recommended to use an ORM to deter easy SQL >>>> injections. >>> >>> That is to crack a nut with a sledgehammer. SQL injection can be easily >>> and more efficiently prevented with prepared statements. While an >>> Object-Relational Mapper (ORM) can use those, and there are benefits to >>> using an ORM, avoiding SQL injection should not be the primary reason to >>> use an ORM. In fact, using an ORM is often not only overkill, but >>> effectively *reduces* application performance. >> >> You don't even need prepared statements. All you need is parameterized >> queries. > > A prepared statement in this context uses a parameterized query. > > <https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29>
I know what a prepared statement is. And I know that they are effective. However they are overkill - as I said, you merely need parameterization. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
