Hacker News new | past | comments | ask | show | jobs | submit login

They do, but what we're talking about here is an ORM, so there will always be machine generated SQL somewhere. Or do you believe that GP is suggesting that developers use parameterised SQL queries instead of an ORM?



Er, why can't the ORM use paramaterised queries?


The problem is that ORMs like ActiveRecord really are just domain specific languages for building queries. If these DSLs use inband are carelessly constructed (e.g. they use some form of inband signaling) you can do the injection attack against the actual ORM code and make it build queries the author of the code did not intend.


http://sqlalchemy.org/ is an ORM and does not have these security issues. So it can be done.


Searching for "sqlalchemy sql injection" brings up this: https://bugzilla.redhat.com/show_bug.cgi?id=783305


I did not say otherwise. I said that ORMs may be vulnerable if they are carelessly constructed.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: