DEV Community

Discussion on: SQL is Insecure

Collapse
 
legolord208 profile image
jD91mZM2

I really REALLY don't wanna go back to storing JSON files. And I don't see any problem with prepared statements at all. And I'm bloody 14 years old. That's pretty young. I might not be a fast coder, but I do appreciate security even at this age and backwards. So I think instead of dropping the world's largest database engines, we learn to use prepared statements. PERIOD.
I've - only one single time not used prepared, but on my own hardcoded input - used anything else than prepared when there is a variable involved.

The ONLY thing they could do easier is making an SQL client where you call methods like
SELECT("test").FROM("database").EXEC()
That would work

Thank you for reading, I guess ¯\_(ツ)_/¯!

Collapse
 
jestingrabbit profile image
Bill C

This is pretty much the approach that Ecto takes (which is the popular ORM that Elixir is using). Its the most expressive ORM I've used, and it doesn't neuter the power of the language.

Highly recommend putting your sql behind some kind of ORM.

Collapse
 
legolord208 profile image
jD91mZM2

Thank you for your input! Cool to know something like this already exists!

Collapse
 
kellogh profile image
Tim Kellogg

So cool seeing a young developer like yourself interested in writing quality code. I think you're thoughts are on the right track in terms of API. One of the tough things that you'll learn in the next few years is that, even though you put a lot of effort into making good decisions, there's 100 others that are paid per line of code. Just because a tool is useful doesn't mean it should be used.

For instance, manual memory management. We've done a good job making developers scared of writing C and having to manage memory using malloc/free. That's saved us a lot of buggy programs and a ton of security vulnerabilities (e.g. sloppily reused buffers). We need to do the same thing with SQL. I mean, C# has Linq, that seems to have worked reasonably well.

Collapse
 
legolord208 profile image
jD91mZM2

I think SQL is neither hard enough, or critical enough to just abandon.
And if somebody started paying me for doing a sloppy job, I'd switch job. And god knows what I'd do if there are no "good" jobs...