[memracom]

The advice given to programmers using an ORM or a database access library just doesn't work for programmers building one. He can't just "use" bind variables. He has to incorporate the concept into his code.

It is unfortunate that the Python DB-API evolved in the way that it did. It is only an API doc, and therefore every db library has to reimplement much of the same functionality, like the string escaping that prevents SQL injection attacks.

It would do a lot of good for a simple thin mapper like this to be more widely used so that more people can see what is involved in making things secure, as opposed to just piggybacking on a library that does everything for you.