Hacker News new | ask | show | jobs
by jagged-chisel 343 days ago
Doing your own escaping is digital whack-a-mole. Let the experts who wrote the prepared statement interface handle it. The knowledge of a team and/or years of experience compressed into an interface that’s trivial to use.
1 comments
ameliaquining 343 days ago
Parameterized statements don't actually abstract over escaping; they entirely obviate the need for it, by moving the untrusted data out of band.
link
jagged-chisel 343 days ago
It’s the safest interface to your database query engine no matter how it does the job. That’s what matters.
link