Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #105710
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Newsgroups | comp.lang.python |
| Subject | Re: WP-A: A New URL Shortener |
| Date | 2016-03-26 08:48 +1100 |
| Message-ID | <mailman.13.1458942513.28225.python-list@python.org> (permalink) |
| References | (4 earlier) <1964524.jFVgOtWIx9@PointedEars.de> <mailman.298.1458257054.12893.python-list@python.org> <2334208.C0ktZ5B2k1@PointedEars.de> <mailman.392.1458396992.12893.python-list@python.org> <4500052.tJGngFWhWt@PointedEars.de> |
On Sat, Mar 26, 2016 at 8:28 AM, Thomas 'PointedEars' Lahn <PointedEars@web.de> wrote: > Chris Angelico wrote: > >> […] Thomas 'PointedEars' Lahn […] wrote: >>> Chris Angelico wrote: >>>> […] Thomas 'PointedEars' Lahn […] wrote: >>>>> Daniel Wilcox wrote: >>>>>> Cool thanks, highly recommended to use an ORM to deter easy SQL >>>>>> injections. >>>>> That is to crack a nut with a sledgehammer. SQL injection can be >>>>> easily and more efficiently prevented with prepared statements. […] >>>> You don't even need prepared statements. All you need is parameterized >>>> queries. >>> A prepared statement in this context uses a parameterized query. >>> >>> > <https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29> >> >> I know what a prepared statement is. And I know that they are >> effective. However they are overkill - as I said, you merely need >> parameterization. > > Then enlighten me, please: How is “parameterization” or a “parameterized > query”, as *you* understand it, different from a prepared statement? This is a prepared statement: http://www.postgresql.org/docs/current/static/sql-prepare.html You use a special "PREPARE" query to create *and store* a half-run query, and then you execute it afterwards. Back in the 1990s, I had the option of actually *compiling* my SQL queries as part of my C code, which would prepare all the queries for future execution. It is completely different from the dynamic parameterized queries that most people use. Parameterization is a more general concept which prepared statements invariably use, but which general code need not use. A Python database connector could choose to PREPARE/EXECUTE for every query it's given, or it could choose to escape all the parameters and embed them, or it could (if it's using a decent database back-end like PostgreSQL) simply send the query and its associated parameters as-is. Only one of these options is a "prepared statement". All three are "parameterized queries", at least from the POV of Python code. ChrisA
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Re: WP-A: A New URL Shortener Daniel Wilcox <dmw@yubasolutions.com> - 2016-03-17 15:34 -0700
Re: WP-A: A New URL Shortener Thomas 'PointedEars' Lahn <PointedEars@web.de> - 2016-03-18 00:17 +0100
Re: WP-A: A New URL Shortener Thomas 'PointedEars' Lahn <PointedEars@web.de> - 2016-03-19 15:00 +0100
Re: WP-A: A New URL Shortener Thomas 'PointedEars' Lahn <PointedEars@web.de> - 2016-03-25 22:28 +0100
Re: WP-A: A New URL Shortener Chris Angelico <rosuav@gmail.com> - 2016-03-26 08:48 +1100
Re: WP-A: A New URL Shortener Thomas 'PointedEars' Lahn <PointedEars@web.de> - 2016-03-25 23:25 +0100
Re: WP-A: A New URL Shortener Chris Angelico <rosuav@gmail.com> - 2016-03-26 10:04 +1100
Re: WP-A: A New URL Shortener Thomas 'PointedEars' Lahn <PointedEars@web.de> - 2016-03-26 04:30 +0100
Re: WP-A: A New URL Shortener Chris Angelico <rosuav@gmail.com> - 2016-03-26 14:46 +1100
Re: WP-A: A New URL Shortener Thomas 'PointedEars' Lahn <PointedEars@web.de> - 2016-04-06 20:42 +0200
csiph-web