Hacker News new | past | comments | ask | show | jobs | submit login

Even sqlalchemy has the mechanism I pointed out. I've never seen an ORM not have it because it becomes important if you're putting an ORM on top of a previously designed database or optimising queries.

session.query(Object).from_statement("SELECT * ...")

http://docs.sqlalchemy.org/en/rel_0_8/orm/query.html#sqlalch...




Sure, and shooting yourself in the foot is also possible by pointing the gun down at the floor ... doesn't mean it is a good idea.

Generally the same statement can be built using internal SQLAlchemy...

But if you want to do your own, you can in sqlalchemy while still being as safe:

http://docs.sqlalchemy.org/en/rel_0_5/sqlexpression.html#usi...


> "Sure, and shooting yourself in the foot is also possible by pointing the gun down at the floor ... doesn't mean it is a good idea."

But it's possible and people do it. Which is, I believe the point was, the counterpoint to "SQLi should be impossible".

Sure, One can avoid shooting themselves in the foot with an ORM. But that's also true in SQL.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: