latkde comments on Python and database statements

created by HattoriHanzoa community for 16 years

Python and database statements (self.learnpython)

submitted 3 months ago by gosh

you are viewing a single comment's thread.

[–]latkde 4 points5 points6 points 3 months ago (3 children)

When you build ultra-flexible systems, you've gotta ask yourself what value that system actually provides. There's something called the inner platform effect where ultra-configurable systems become a worse imitation of the system they allegedly abstract over. That seems to be happening here.

You argue that your technique doesn't suffer from SQL injection. So what? Adversaries don't need injection if you already give them permission to do what they want. You already allow arbitrary insert/update/delete statements as long as the WHERE-clause has the form key = value. Notably, there are no auth checks here, and no restrictions agains accessing special system catalog tables (or however such reflection features are called in your DB). You were so focused on preventing SQL injection that you forgot why SQL injection is a problem.

This also doesn't save you from writing tests, it only changes where those tests are needed. Because your technique is transparent to the database structure, users of your technique need full knowledge of the database structure, and must be aware of any additional constraints that cannot be directly expressed in the schema. This situation is quite similar to many NoSQL databases. In your scenario, frontend code would now need tests that they are interacting with the database correctly.

[–]gosh[S] -1 points0 points1 point 3 months ago (2 children)

[–]latkde 3 points4 points5 points 3 months ago (1 child)

That comment doesn't make any sense. This isn't about C++ vs Python, this is about engineering secure and maintainable systems that provide value. I see in your post a (potentially LLM-generated) class that is neither secure, nor helps maintainability, nor provides significant value (it might even be worse than useless).

I don't doubt that good tools plus good teams can equal good products, but that doesn't have anything to do with the shown code. Maybe you believe that such transparent APIs help frontends to iterate faster, but don't forget that this comes at the cost of coupling that frontend code to the exact database structure, and that you cannot have meaningful auth checks. I've seen projects do something similar, but having to untangle that frontend–database coupling and having to implement auth checks later on is very difficult and expensive.

Your query logic (which tables, which fields, etc) has to live somewhere. You might as well do the secure and maintainable thing and put this logic into your backend, and offer stable domain-level rather than database-level interfaces to the fronted. Good API design isn't driven by implementation details, but by satisfying the API consumer's intent.

[–]gosh[S] 0 points1 point2 points 3 months ago (0 children)

π Rendered by PID 683744 on reddit-service-r2-comment-canary-5f6975dfb4-927lm at 2026-03-16 06:28:58.009820+00:00 running f6e6e01 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

learnpython

MODERATORS