Update secure_software_development_fundamentals.md

david-a-wheeler · epicfaace · web-flow · commit 1d21d66adf41 · 2022-05-15T13:45:40.000-04:00
Co-authored-by: Ashwin Ramaswami &lt;aramaswamis@gmail.com&gt;
diff --git a/secure_software_development_fundamentals.md b/secure_software_development_fundamentals.md
@@ -2537,7 +2537,7 @@ or that the problem will be detected before shipping.
 
 Many programs use object-relational mapping (ORM). This is just a technique to automatically convert data in a relational database into an object in an object-oriented programming language and back; lots of libraries and frameworks will do this for you. This is fine, as long as the ORM is implemented using parameterized statements or something equivalent to them. In practice, any good ORM implementation will do so. So if you are using a respected ORM, you are already doing this. That said, it is common in systems that use ORMs to occasionally need to use SQL queries directly… and when you do, use parameterized statements or prepared statements.
 
-Some applications use a "query builder" library to build commands (queries) programmatically through a sequence of calls instead of embedding a command string. Some ORMs include a query builder system. Again, a well-implemented query builder will use parameterized statements or similar internally. So if you use a query builder, use that is implemented using parameterized statements and provide untrusted data as separate parameters however in the query builder requires for them to be correctly escaped.
+Some applications use a "query builder" library to build commands (queries) programmatically through a sequence of calls instead of embedding a command string. Some ORMs include a query builder system. Again, a well-implemented query builder will use parameterized statements or similar internally. So if you use a query builder, use one that is implemented using parameterized statements and provides untrusted data as separate parameters however in the query builder requires for them to be correctly escaped.
 
 There are other approaches, of course. You can write your own escape code, but this is difficult to get correct, and typically a waste of time since there are usually existing libraries to do the job.
 
