Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I would say it's unfair to compare a library to the basic PDO. If you want to compare apples to apples, try looking at Sequel versus Doctrine or some other third party SQL library.

Just like any other template language (thinking of something like ColdFusion or ASP), of course one unescaped variable is going to be a headache. But you don't have to use it that way, and probably shouldn't. While PHP started as a template language, it has clearly moved past that.



I do not think it is an unfair comparison since Sequel has both basic parts on the same level as PDO, and then implements the more advanced features on top of these basic parts. The basic parts of Sequel has superior usability and safety to PDO.

Sequel's right way:

    user = db['SELECT name FROM users WHERE id = ?', id].first
Sequel's wrong way:

    user = db["SELECT name FROM users WHERE id = #{id}"].first
PDO's right way:

    $stmt = $db->prepare('SELECT name FROM users WHERE id = ?');
    $stmt->execute([$id]);
    $user = $stmt->fecth();
PDO's wrong way:

    $user = $db->query("SELECT name FROM users WHERE id = $id")->fetch();
As you can see PDO is optimized for doing things easily the unsafe way while Sequel has the safe way as the normal way of running queries which is just as easy to use as the unsafe way.

> Just like any other template language (thinking of something like ColdFusion or ASP), of course one unescaped variable is going to be a headache.

That is simply not true. Look at Twig which by default escapes everything automatically, or Rails's patched ERB which keeps track of escaped an unescaped strings based on data types and makes sure everything is automatically escaped in the end. In those template languages you need the explicitly do something unsafe to get an unescaped value. While in PHP you need to audit all places where echo can be called directly or indirectly.


Okay, so instead of Doctrine, look at another library that has the basic parts and then the advanced parts. Here is one from a different library that is safe and "easy"

    $user = $db->find('user', 'first_name = ?', ['Name']);
> As you can see PDO is optimized for doing things easily the unsafe way while Sequel has the safe way as the normal way of running queries which is just as easy to use as the unsafe way.

PDO isn't "optimized" to do them the wrong way or the right way. Yes, it's less code to do it the wrong way, but that isn't a true definition of easier.

As for the escaping, I would expect Twig to escape things, it's want it's meant for (and the reason you use it instead of just vanilla PHP). And Rails is a subset of Ruby correct? So not a true comparison again.


Compare Sequel to EasyDB then: https://github.com/paragonie/easydb


Sure, I know there are good libraries for PHP, I mentioned Twig for example, but my issue is that the standard library of PHP is shitty and contains traps for beginners.


Honest question, is Sequel a standard library for Ruby? I assumed it was something you had to install after you installed Ruby.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: