Object-Relational Mapper ¶

When taking a look at object-relational mappers (ORMs) we are concerned with a few things in particular:

Is the ORM using bound parameters for all the different backends? We must verify each one.

Can developers write raw SQL queries using bound parameters, or does it just use string interpolation behind the scenes?

Is the documentation clear about the risks of writing raw SQL queries with user input? What escaping mechanisms are provided to escape user-supplied data?

Version: latest
Edited by Craig Younkins on 7/26/10 1:35 PM
History
Edit

Creative Commons 3.0 License

Where Am I?

You're on PythonSecurity.org, the home for security in Python.

This page

Edit
History | Feed

This wiki

All pages | Feed
Latest changes | Feed

An OWASP project created by Craig Younkins

Powered by Moe and Google App Engine