So many people in this thread seem to think that your options are ORM or string concatenation. It explains a lot about why both ORMs and SQL injection are still so prevalent.
Does no one teach prepared statements in schools/online classes/textbooks? Does no one go digging underneath their abstractions to learn what they're providing of value and what is easily available without that abstraction?
> ORM protections against SQL injection attacks are worth the clunky syntax. Change my mind.
You can create what's called a prepared statement in most databases. This is a statement that contains placeholders for parts of the query that you want to change at runtime. You then query against this prepared statement, providing arguments for each placeholder. These arguments are typically typechecked and protected against SQL injection.
(I only say "typically" because I'm sure someone out there can provide a database/driver combo that does the wrong thing, but I'm equally sure you can find a misbehaving ORM that does the wrong thing as well.)
Does no one teach prepared statements in schools/online classes/textbooks? Does no one go digging underneath their abstractions to learn what they're providing of value and what is easily available without that abstraction?
> ORM protections against SQL injection attacks are worth the clunky syntax. Change my mind.
You can create what's called a prepared statement in most databases. This is a statement that contains placeholders for parts of the query that you want to change at runtime. You then query against this prepared statement, providing arguments for each placeholder. These arguments are typically typechecked and protected against SQL injection.
(I only say "typically" because I'm sure someone out there can provide a database/driver combo that does the wrong thing, but I'm equally sure you can find a misbehaving ORM that does the wrong thing as well.)