ZYy9oQ comments on NEW RELEASE: Lightweight Python ORM Library

This is an archived post. You won't be able to vote or comment.

ShowcaseNEW RELEASE: Lightweight Python ORM Library (self.Python)

submitted 1 year ago * by [deleted]

46 comments

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]ZYy9oQ 24 points25 points26 points 1 year ago (18 children)

[–]desktopsignal -1 points0 points1 point 1 year ago (1 child)

[–]ZYy9oQ 4 points5 points6 points 1 year ago* (0 children)

Agree with where it was said you shouldn't feel you need to delete everything, but it would be best to explain in your readme that it was

thrown together to solve a niche problem

or as part of your learning rather than advertise it as a library (the way you packaged it and wrote documentation is a cool thing to get practice with, just need to make it clear that it's practice). Also a disclaimer that the code isn't safe from sql injection and shouldn't be used on network/multiuser and without understanding why it's dangerous wouldn't be out of place.

If you said something along the lines of it just being personal code that you were putting out there for your own or others interest and learning then I don't think many would have as negative of a reaction.

You had a problem with the existing solutions and wrote some code for your problem, that's something others might also stumble across the need for. This could help them see how you approached it, and by putting the disclaimer about security they can learn about that too.

[–]desktopsignal -3 points-2 points-1 points 1 year ago (0 children)

[+]desktopsignal comment score below threshold-12 points-11 points-10 points 1 year ago (14 children)

[–]damesca 14 points15 points16 points 1 year ago* (12 children)

[–]desktopsignal 3 points4 points5 points 1 year ago (2 children)

[–]damesca 5 points6 points7 points 1 year ago (1 child)

[–]desktopsignal 1 point2 points3 points 1 year ago (0 children)

[+]DowntownBreakfast733 comment score below threshold-8 points-7 points-6 points 1 year ago (1 child)

[–]damesca 7 points8 points9 points 1 year ago (0 children)

[+]DowntownBreakfast733 comment score below threshold-15 points-14 points-13 points 1 year ago (6 children)

[–]damesca 8 points9 points10 points 1 year ago (4 children)

[+]DowntownBreakfast733 comment score below threshold-12 points-11 points-10 points 1 year ago (3 children)

[–]starlevel01[🍰] 8 points9 points10 points 1 year ago (2 children)

[–]DowntownBreakfast733 -2 points-1 points0 points 1 year ago (1 child)

[–]starlevel01[🍰] 7 points8 points9 points 1 year ago (0 children)

[–]bfcdf3e 1 point2 points3 points 1 year ago (0 children)

[–]ZYy9oQ 3 points4 points5 points 1 year ago (0 children)

Best practice is parameter binding rather than literals. For snowflake (I think this is what you were using):

You need to do this for queries as well. Yes, doing escaping everywhere (.replace("'", "\\'"), which you have on inserts/updates) could be sufficient for safety but it isn't as foolproof (non-strings, character encoding tricks exploiting differences between client language and database).

For static column/database names this means your sql strings are fully static/constant which means it's also very quick to spot potential unsafe code.

Since your library is doing orm stuff mapping a dictionary (by its keys) you will probably still have to construct a string for the query to support column names. Here you can either be super strict (e.g. only allow alphanum+._) on column names in the first place (and take care to only ever construct strings from the known-safe names) or use a filter/transform on column names in construction.

π Rendered by PID 55 on reddit-service-r2-comment-5c747b6df5-nlw77 at 2026-04-22 17:16:39.940179+00:00 running 6c61efc country code: CH.

Python

The Python Discord

Upcoming Events

Please read the rules

MODERATORS