undefined | Better HN

0 pointsjagged-chisel11mo ago0 comments

Doing your own escaping is digital whack-a-mole. Let the experts who wrote the prepared statement interface handle it. The knowledge of a team and/or years of experience compressed into an interface that’s trivial to use.

0 comments

2 comments · 1 top-level

ameliaquining11mo ago· 1 in thread

Parameterized statements don't actually abstract over escaping; they entirely obviate the need for it, by moving the untrusted data out of band.

jagged-chiselOP11mo ago

It’s the safest interface to your database query engine no matter how it does the job. That’s what matters.

j / k navigate · click thread line to collapse