Chris Angelico wrote: > […] Thomas 'PointedEars' Lahn […] wrote: >> Chris Angelico wrote: >>> […] Thomas 'PointedEars' Lahn […] wrote: >>>> Daniel Wilcox wrote: >>>>> Cool thanks, highly recommended to use an ORM to deter easy SQL >>>>> injections. >>>> That is to crack a nut with a sledgehammer. SQL injection can be >>>> easily and more efficiently prevented with prepared statements. […] >>> You don't even need prepared statements. All you need is parameterized >>> queries. >> A prepared statement in this context uses a parameterized query. >> >> <https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29> > > I know what a prepared statement is. And I know that they are > effective. However they are overkill - as I said, you merely need > parameterization.
Then enlighten me, please: How is “parameterization” or a “parameterized query”, as *you* understand it, different from a prepared statement? -- PointedEars Twitter: @PointedEars2 Please do not cc me. / Bitte keine Kopien per E-Mail. -- https://mail.python.org/mailman/listinfo/python-list
