Quote:
Originally Posted by daveT
What I posted above was (assuming it ran) completely secure. You can screw up security with an ORM as well if you ignore best practices. DSLs don't imply that you are flapping in the wind alone and everything has to be done manually. String interpolation and concatenation is terrible regardless if you are using a DSL or ORM.
I probably wasn't very clear, seeing that Rusty and you both interpreted it like this. I was replying to Rusty's question why anyone would ever use a persistence framework like Alchemy.
Of course, you can be completely fine when writing raw SQL assuming you follow some basic best practices. But the chances that a bad or inexperienced dev inadvertently introduces a SQL injection vulnerability have to be magnitudes higher with raw SQL compared to using some query builder. So yes, that would be one reason to use a persistence framework, imo
(Regarding performance of caching and lazy/eager reference loading I really can't comment for SQLAlchemy, but I found them both extremely useful in hibernate.)
Last edited by plexiq; 08-16-2016 at 02:00 PM.