Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> That you view the situation as ORM or concatenation terrifies me. No wonder SQL injection remains so prevalent.

I don't think others mean concatenation of values where placeholders should be, but the fact that the query itself is a big string. Unless some sort of query builder is used to literally build this big string for you.



> I don't think others mean concatenation of values where placeholders should be, but the fact that the query itself is a big string.

They explicitly contrast using an ORM to the practice of concatenating strings here:

> > SQL is backward to a programming language. Creating statements by concatenating strings?

> Unless some sort of query builder is used to literally build this big string for you.

I'm not entirely sure they're aware of the existence of query builders outside of an ORM given the dichotomy presented.


That “unless” is the whole point...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: