Hacker News new | past | comments | ask | show | jobs | submit login

Yes, all ORM's build their SQL using string concatenation, BUT the good ORM's won't use string concatenation on user data, instead they will use bind parameters.

This way the query sent to the server looks like this:

  SELECT * FROM whatever WHERE email = :1 AND user_name = :2;
And then the parameters are passed to the database server separately to bind to the above placeholders.

This way the database server knows what is user provided data and what is part of the SQL, and no special quoting is required since the database server handles that internally. It's much safer in that SQL injection becomes impossible at that point.




That's not what OP was saying. That SQL string you just provided is static. At some point the ORM has to assemble that string.


OP said:

  > Prepared statements with bind variables only work when the SQL string is static and only the variables change
This is wrong.


I said "All ORMs build at least some of their SQL using string concatenation"

The "at least some" was meant to imply that they also use bind variables.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: