[mattmanser]

People are actually starring it! Is this some sort of subtle joke?

Just to emphatically underline ecopoesis' point, this code is completely insecure, open to the most basic SQL injection attacks.

Op you need to delete the repo asap.

[jmgutn]

Of course I'm not saying this code is suitable for production. It's just a toy "ORM". How you could possibly think I'm trying to replace something like sqlalchemy with 50 lines of code? Please guys, I'm not gonna delete the repo. It's just for fun. I'll add a warning about the sql injection problems and explicitly tell that this code is NOT for production. Event when I think that is obvious.

[woud420]

I don't even think it's ready to be used in a prototype. No joins, no unions, as mentionned before SQL injections. I mean, besides teaching yourself what a basic Mapper is, I don't see any use to this.

[jmgutn]

Not just teaching myself. This could teach anyone else that didn't know about object mappers. Even if this is the most insecure code in the world, it can be improved. That's the reason it is on github. You could contribute and add joins, unions, sanitize the user inputs, etc.

[memracom]

Hey, it's a github repo. If you have discovered an issue with it, then clone the repo, fix the issue, and send in a pull request.

Yes, it does the simple form of variable substitution that opens the door to SQL injection attacks, but using a .execute method with ? in the SQL for variable substition is not the real solution. The real solution is what happens inside the .execute methods. There is no reason why that same code could not be incorporated in this mapper, and still maintain the goal of a minimal data access layer with no magic.

You can get some ideas in how to improve the code here https://github.com/PyMySQL/PyMySQL/blob/master/pymysql/curso... starting around line 91.