On Sat, Mar 26, 2016 at 8:28 AM, Thomas 'PointedEars' Lahn <pointede...@web.de> wrote: > Chris Angelico wrote: > >> […] Thomas 'PointedEars' Lahn […] wrote: >>> Chris Angelico wrote: >>>> […] Thomas 'PointedEars' Lahn […] wrote: >>>>> Daniel Wilcox wrote: >>>>>> Cool thanks, highly recommended to use an ORM to deter easy SQL >>>>>> injections. >>>>> That is to crack a nut with a sledgehammer. SQL injection can be >>>>> easily and more efficiently prevented with prepared statements. […] >>>> You don't even need prepared statements. All you need is parameterized >>>> queries. >>> A prepared statement in this context uses a parameterized query. >>> >>> > <https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29> >> >> I know what a prepared statement is. And I know that they are >> effective. However they are overkill - as I said, you merely need >> parameterization. > > Then enlighten me, please: How is “parameterization” or a “parameterized > query”, as *you* understand it, different from a prepared statement?
This is a prepared statement: http://www.postgresql.org/docs/current/static/sql-prepare.html You use a special "PREPARE" query to create *and store* a half-run query, and then you execute it afterwards. Back in the 1990s, I had the option of actually *compiling* my SQL queries as part of my C code, which would prepare all the queries for future execution. It is completely different from the dynamic parameterized queries that most people use. Parameterization is a more general concept which prepared statements invariably use, but which general code need not use. A Python database connector could choose to PREPARE/EXECUTE for every query it's given, or it could choose to escape all the parameters and embed them, or it could (if it's using a decent database back-end like PostgreSQL) simply send the query and its associated parameters as-is. Only one of these options is a "prepared statement". All three are "parameterized queries", at least from the POV of Python code. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
