WP-A: A New URL Shortener
Chris Angelico
rosuav at gmail.com
Sat Mar 19 10:16:23 EDT 2016
On Sun, Mar 20, 2016 at 1:00 AM, Thomas 'PointedEars' Lahn
<PointedEars at web.de> wrote:
> Chris Angelico wrote:
>
>> On Fri, Mar 18, 2016 at 10:17 AM, Thomas 'PointedEars' Lahn
>> <PointedEars at web.de> wrote:
>>> Daniel Wilcox wrote:
>>>> Cool thanks, highly recommended to use an ORM to deter easy SQL
>>>> injections.
>>>
>>> That is to crack a nut with a sledgehammer. SQL injection can be easily
>>> and more efficiently prevented with prepared statements. While an
>>> Object-Relational Mapper (ORM) can use those, and there are benefits to
>>> using an ORM, avoiding SQL injection should not be the primary reason to
>>> use an ORM. In fact, using an ORM is often not only overkill, but
>>> effectively *reduces* application performance.
>>
>> You don't even need prepared statements. All you need is parameterized
>> queries.
>
> A prepared statement in this context uses a parameterized query.
>
> <https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29>
I know what a prepared statement is. And I know that they are
effective. However they are overkill - as I said, you merely need
parameterization.
ChrisA
More information about the Python-list
mailing list