Skip to main content

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

2
  • I honestly disagree on your suggestion. This could lead to a false postive feeling of security throwing in any ORM. Of course, most of those take care of prepared statements and parameterized queries. A newbie coming to this post might still feel secure by picking any ORM - trusting them all. In general ORM are easing up things by hiding / abstracting implementation details. You really WANT to check (or blindly trust) how it's done. Rule of thumb: The bigger the open source community (support) behind it, the less it's totally screwed ;)
    – pocketrocket
    Commented Oct 9, 2020 at 15:25
  • 1
    Honestly its not the worst idea , pocketrocket. Depending on the ORM, theres a very very high chance that the authors of the ORM know their way around SQL better than the coder. Its kind of like that old rule of encryption that unless you've got your name on research papers in the field, dont roll your own, because chances are the attacker DOES have his name on papers in the field. That said if its an ORM requiring you to supply all or part of the query (ie Model.filter('where foo = ?',bar), you may well be better off rolling hand SQL
    – Shayne
    Commented Oct 28, 2020 at 1:43