And they still don't learn 😑

I came in to my rather new team 3 months ago as a php developer and had to start coding in python instead, and all of my 4 new coworkers were quite sufficient in python (or so they claimed) due to working with it for years. When I looked into the database handler they had built it had no support for prepared statements, so when I asked them about it they didn't even know that was a thing. They were preformatting all of their queries for all these years, in production. And they are all at least 10 years older than me with that much more experience as well. I got quite scared for the company's future after that.

@girlybrackets sounds like you need a new job lol.

@girlybrackets completely irrelevant but.. nice username!

"Not even at gunpoint."
Hahahahahahahaha

Why? (I don't know anything about sql)

@sebh0602
This can cause SQL Injections. You can end and modify SQL Statements to the Database via injected Strings (Parameters/Placeholders can prevent Injections and most OR-Mappers are doing this internally)

@sebh0602
Imagine your code looks like this:

db.query("INSERT INTO Students VALUES ('" + name + ');");

Then your friendly neighborhood school tries to add your kid named

Robert'); DROP TABLE Students;--

Well, then the query you run winds up looking more like this...

INSERT INTO Students VALUES ('Robert'); DROP TABLE Students;--');

You can probably guess what a semicolon does, what DROP TABLE is, and that "--" is a SQL comment...

What page is that in the Python docs?

@iguana http://initd.org/psycopg/docs/...

@Xenotoad Oh yeah, little Bobby Tables, he's such a cutie.