undefined | Better HN

0 pointsX-Istence11y ago0 comments

Yes, all ORM's build their SQL using string concatenation, BUT the good ORM's won't use string concatenation on user data, instead they will use bind parameters.

This way the query sent to the server looks like this:

  SELECT * FROM whatever WHERE email = :1 AND user_name = :2;

And then the parameters are passed to the database server separately to bind to the above placeholders.

This way the database server knows what is user provided data and what is part of the SQL, and no special quoting is required since the database server handles that internally. It's much safer in that SQL injection becomes impossible at that point.

0 comments

3 comments · 1 top-level

warmwaffles11y ago· 2 in thread

That's not what OP was saying. That SQL string you just provided is static. At some point the ORM has to assemble that string.

X-IstenceOP11y ago

OP said:

  > Prepared statements with bind variables only work when the SQL string is static and only the variables change

This is wrong.

simonw11y ago

I said "All ORMs build at least some of their SQL using string concatenation"

The "at least some" was meant to imply that they also use bind variables.

j / k navigate · click thread line to collapse