Hacker News new | past | comments | ask | show | jobs | submit login

"don't concatenate input strings into SQL strings" is a pretty good comparison, because the rise of ORMs and APIs that make parameterized queries ergonomic has done probably 10 times as much to stop SQLi in practice as telling developers to sanitize their inputs ever did.



>sanitize their inputs ever did.

was even escaping input viable strategy?

if you escape thing, then your data in db is broken

parametrization seems like the only strategy out of those 2


some parts of a query cannot be parameterized, e.g. the column name for an 'order by' in many cases. So you have to do some kind of escaping, sanitation and concatenation.


If you're escaping/sanitizing to massage an input string until you can concatenate it into a SQL query, you're doing it wrong. Please don't.


While this solution isn't sexy, cannot it be just simple switch?

switch(int)

case 1: age

case 2: salary


Yes, unless the database has custom column names e.g. to add your own properties to some object. But that kind of schema is madness in other aspects as well...


I have yet to dream up/see a case where you can't puzzle literals together based on user-query parsing until you get your SQL query assembled.


Agreed. But writing your own authentication frameworks are a virtually identical situation.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: