WP-A: A New URL Shortener

Chris Angelico rosuav at gmail.com
Fri Mar 25 17:48:24 EDT 2016 

On Sat, Mar 26, 2016 at 8:28 AM, Thomas 'PointedEars' Lahn
<PointedEars at web.de> wrote:
> Chris Angelico wrote:
>
>> […] Thomas 'PointedEars' Lahn […] wrote:
>>> Chris Angelico wrote:
>>>> […] Thomas 'PointedEars' Lahn […] wrote:
>>>>> Daniel Wilcox wrote:
>>>>>> Cool thanks, highly recommended to use an ORM to deter easy SQL
>>>>>> injections.
>>>>> That is to crack a nut with a sledgehammer.  SQL injection can be
>>>>> easily and more efficiently prevented with prepared statements.  […]
>>>> You don't even need prepared statements. All you need is parameterized
>>>> queries.
>>> A prepared statement in this context uses a parameterized query.
>>>
>>>
> <https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29>
>>
>> I know what a prepared statement is. And I know that they are
>> effective. However they are overkill - as I said, you merely need
>> parameterization.
>
> Then enlighten me, please: How is “parameterization” or a “parameterized
> query”, as *you* understand it, different from a prepared statement?

This is a prepared statement:

http://www.postgresql.org/docs/current/static/sql-prepare.html

You use a special "PREPARE" query to create *and store* a half-run
query, and then you execute it afterwards. Back in the 1990s, I had
the option of actually *compiling* my SQL queries as part of my C
code, which would prepare all the queries for future execution. It is
completely different from the dynamic parameterized queries that most
people use.

Parameterization is a more general concept which prepared statements
invariably use, but which general code need not use. A Python database
connector could choose to PREPARE/EXECUTE for every query it's given,
or it could choose to escape all the parameters and embed them, or it
could (if it's using a decent database back-end like PostgreSQL)
simply send the query and its associated parameters as-is. Only one of
these options is a "prepared statement". All three are "parameterized
queries", at least from the POV of Python code.

ChrisA

More information about the Python-list mailing list