Hacker News new | past | comments | ask | show | jobs | submit login

as you point out you can build the sql query. I've not seen any ORM that validates the SQL you pass it to build the query. This is how SQLi happens in the ORM tier.

objects = orm.rawQueryForObjects("select * from people where name = '" + name + "')




You build the sql query using chained functions, so it's safe:

objects = People.query.filter_by(name=name).all()

When I said 'build the sql query' I meant using SQLAlchemy core, which is also safe:

objects = select([People]).where(People.name == name)


Even sqlalchemy has the mechanism I pointed out. I've never seen an ORM not have it because it becomes important if you're putting an ORM on top of a previously designed database or optimising queries.

session.query(Object).from_statement("SELECT * ...")

http://docs.sqlalchemy.org/en/rel_0_8/orm/query.html#sqlalch...


Sure, and shooting yourself in the foot is also possible by pointing the gun down at the floor ... doesn't mean it is a good idea.

Generally the same statement can be built using internal SQLAlchemy...

But if you want to do your own, you can in sqlalchemy while still being as safe:

http://docs.sqlalchemy.org/en/rel_0_5/sqlexpression.html#usi...


> "Sure, and shooting yourself in the foot is also possible by pointing the gun down at the floor ... doesn't mean it is a good idea."

But it's possible and people do it. Which is, I believe the point was, the counterpoint to "SQLi should be impossible".

Sure, One can avoid shooting themselves in the foot with an ORM. But that's also true in SQL.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: