Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Have you ever tried it? Your coworkers are right. It also helps you avoid common mistakes like SQL injection. When the ORM doesn't work for a specific case, they usually have ways where you can override the ORM and use your own SQL calls. Virtually every major, popular ORM does this across different languages (can personally confirm with Ruby, Java, & Python ORMs - confident that JS ones support it too).


SQL injection is prevented by not using user input as a part of the SQL query. It's orthogonal concern to whether to use ORM or not.


I'm not sure I understand since there are common cases where you have no choice but to deal with user input. Sure you can manually escape user input in your manual sql calls, but if you're doing that manually there's no hard guarantee that you'll always escape that input vs using an ORM.


Christ, no, don't escape user input in SQL. Just use parameterized queries.


I disagree, and SQLi is not simply prevented by avoiding user input. There are many cases where you need to use user input for a SQL query and its a valid pattern, and can be done securely with Prepared Statements or Parameterization.

Using an ORM discourages you from writing SQL queries and it also automatically parameterized queries. This is a good thing! In fact, from experience, the single easiest way to mitigate a naive developer from introducing SQLi is requiring them to use an ORM. People should not be constructing SQL statements by hand today, its too easy to mess this up. SQLi shouldnt be a thing in 2019, but, it is.

My point is it is VERY MUCH not orthogonal, its very much related. Avoid naive SQLi, use an ORM. Directly related.


ORM builds on top of mechanisms for prepared statements or parametrization.

Yes, ORM API can perhaps limit developers to such an extent, that they can't construct SQL themselves, and thus can't make the mistakes leading to SQL injection.


You can't avoid use user input. How would you login with a username and password without user input?

Django's ORM will sanitize input when you pass it in as raw SQL.


SQL query is a string. (that's where you don't pass the user input, not even quoted/escaped, as a policy) User input is passed "out of band", meaning not as a part of the query string. How exactly that happens depends on the RDBMS's particular client/server interface.

That's all that's enough to avoid SQL injections. And it has nothing to do with ORM.


That is orthogonal. There are ORMs which make SQL injection easy and there are those which make it hard, just as for SQL connector libraries.

This is a matter of interface design.


Which ORMs make SQL Injection easy to happen? From my experience input sanitation is one of the main features of every major ORM. I am not aware of any popular ORM that makes it easy for SQL injection to occur.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: