My standard for an orm is that if it’s doing something wrong or I need to do something special that it’s trivial to move it aside and either use plain SQL or it’s SQL generator myself.
In production code, plain SQL strings are a concern for me since they’re subject to the whole array of human errors and vulnerabilities.
Something like stmt = select(users).where(users.c.name == 'somename') is basically as flexible as the string, but it’s not going to forget a quote or neglect to use SQL escaping or parametrize the query.
And sometimes you just need it to get out of the way because your query is reaaaaaal weird, although at that point a view you wrap with the orm might be better.
If you’ve done things right though, most of the time you’ll be doing simple primary key lookups and joins with a few filters at most.
My standard for an orm is that if it’s doing something wrong or I need to do something special that it’s trivial to move it aside and either use plain SQL or it’s SQL generator myself.
In production code, plain SQL strings are a concern for me since they’re subject to the whole array of human errors and vulnerabilities.
Something like
stmt = select(users).where(users.c.name == 'somename')is basically as flexible as the string, but it’s not going to forget a quote or neglect to use SQL escaping or parametrize the query.And sometimes you just need it to get out of the way because your query is reaaaaaal weird, although at that point a view you wrap with the orm might be better.
If you’ve done things right though, most of the time you’ll be doing simple primary key lookups and joins with a few filters at most.