Tzahi Fadida wrote:
> I am interested to know if SQLAlchemy is considered production ready,
> at least the ORM and the basic CRUD SQL queries areas and transactions.
> (and the connection to PostgreSQL).
> Well, at least compared to SQLObject.
> Obviously SQLAlchemy is more powerful but sometimes you have to sacrifice
> features for stability.
I would be wary of using SQLObject in production because of its non-use
of bind variables, and thus its potential vulnerability (and, in the
case of PostgreSQL with unicode strings which can be passed in
unfiltered from untrusted sources, actual vulnerability) to SQL
injection attacks.
SQLAlchemy uses bind variables wherever the db driver supports it. I think this even includes mysql, these days.
Additionally, there is a rather massive performance
impact on account of this same decision -- I've seen Oracle logs
indicating that 50% of the time spent by the database was soft parse
time, which would have been one-time-only per query (as opposed to per
instance of a given query) otherwise
You're confusing bind variables with prepared statements.
If your queries run so fast that parsing is really your bottleneck, then either you are working on a toy problem or you have so much money to throw at fast disks that hiring Michael to write a prepared statement cache for SQLAlchemy would not be a problem :)
--
Jonathan Ellis
http://spyced.blogspot.com
Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Sqlalchemy-users mailing list Sqlalchemy-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlalchemy-users
