m60freeman
commented
1 year ago While it is true that "ORMs can help prevent SQL injection attacks by automatically parameterizing queries and escaping user input", it takes careful use of specific development practices for this to occur so they often stuff hard-coded values into queries rather than parameterizing them. The developers are almost always surprised when this is brought to their attention by a DBA. My favorite is seeing Entity Framework/LINQ generate an IN() that contains thousands of literal values in a WHERE clause.
Comments for the blog post that is, or will be live at https://littlekendra.com/2023/01/18/chat-gpt-discusses-orms-and-databases/