For some reason, as of late, I can't seem to attend any user group or conference without a speaker slating ORM's. Several speakers at the PHP UK Conference this year expressed their disapproval, as well as the speaker at this months PHP London talk. However, no one is giving me a strong enough argument to not use an ORM. Remarks such as "That's a whole other talk" or "Don't get me started on ORM's" seem to be thrown about. But whenever I get a chance to talk about any concerns or issues they're having the conversation just seems to deflate. Am I missing something really terrible about ORM's that's going to creep up and bite me?

He goes through and lists some of the most common and explains how, once you get past some of the initial impressions, they might not be so bad:

• Using ORMs means having a one to one relation between object and table
• ORMs produce sub-optimal SQL and far too many queries
• Using ORMs means using active record
• ORM is slower than just using SQL, Unlike other abstraction layers, which make up for their performance hit with faster development, ORM layers add almost nothing.
• But just pulling out arrays are quicker
• Incorrect abstraction - if you don't need relational data features you're using the wrong data store

You should protect your relational databases (like MySQL) from the dreaded SQL injection attack. These attacks are conducted by evil sniveling nerds, trying to insert damaging SQL code into your HTML form fields (and query strings too) to do things like drop database tables or even wipe out your database altogether!

There's three things he recommends as good places to start - mysql_real_escape_string, using an ORM layer with its own escaping and using something like PDO that cleans up the input for you.