[jcoffland]

ORMs are almost always a bad idea. They add an unnecessary layer of complexity which will result in both speed and space inefficiencies. If your project is small just use SQL, it will be easier. If your project is large you will end up writing a lot of customized SQL anyway, so just use SQL. If your project is in the middle, will never become large, you won't have to support it later and you already know the ORM tool then you may benefit from ORM.

[sirclueless]

If your project cares at all about security you should at least be using some form of query builder. The bare minimum is a system that binds parameters of a query to user data without manual escaping.

From there the distinction between ORMs and query builders gets fuzzy, it's more of a spectrum than a bright line. I particularly like SQLAlchemy's model of a core SQL-building library with an ORM you can use piecemeal around it.

[jcoffland]

Probably every modern SQL API supports safe query construction with out a third-party query builder. Building queries with simple string concatination is a bad idea but that's not a justification for the complexity of ORM.