using SQL queries is good practice in Magento 2
over ORM
which is best one to while
customizing
1)Security
2)Speed
ORM vs SQL queries
which one giving
Security and speed
while working with the database magento 2.
anyone explain
Thanks in advance.
Best Answer
SQL queries are not recommended in Magento official Documentaion.
Avoid raw SQL queries
Magento\Framework\DB\Adapter\Pdo\Mysql
by default) to build and execute queries and move all data access code to a resource model.Refer: https://devdocs.magento.com/guides/v2.3/ext-best-practices/extension-coding/security-performance-data-bp.html
Updated answer:
Prevent Magento SQL Injection – Use Prepared Statements
The alternate option to dynamic queries is the prepared statements. These are the statements which are prepared and parsed later on. So, the database stores the statement without executing it. It first checks the parameters. Later it ensures that a string input is a string only and so on. This ensures that the input is not mischievous. Once all the parameters are checked, it executes the statements. Thus ensuring that no Magento SQL injection attack occurs. Given below is a prepared statement implementation in My SQL and PHP.
Magento uses the Zend framework. So, in that case, the components of the Zend framework can be used. Bind the query parameters to the query with Zend_Db_Select’s bind rather than using a full SQL statement. Like this:
Magento SQL INJECTION prepared statement
Refer:https://www.getastra.com/blog/cms/magento-security/magento-sql-injection-outcomes-find-and-fix/