Agreed, write raw SQL, this has never had any security impact whatsoever[1]

- Your friendly local pentester

[1] - https://en.wikipedia.org/wiki/SQL_injection

Porsager’s Postgres package does a great job of letting you feel like you’re writing raw sql, but avoids the attack vectors.

Anyway, I agree that ORMs are pretty terrible. I like writing SQL or using a lightweight builder like Kysely. Was a huge Dapper fan back in my C# days.

There are plenty of reasonable alternatives to ORMs that don’t open you to SQL injection attacks.

Parameterized queries have been a thing for decades, which mitigate SQL injection attacks.[1] This is true of the examples in the post too, they used this:

  query = """
            SELECT * from tasks
            WHERE id = $1
            AND state = $2
            FOR UPDATE SKIP LOCKED
        """
  rec = await self.db.fetchone(query=query, args=[task_id, TaskState.PENDING], connection=connection)