Hacker News new | ask | show | jobs
by amatera 3100 days ago
Some weeks ago an experience developer said to me: "Parameterize a query? Since years i don't care about it, because ORMs like Doctrine or Sequelize take care of that"... So it's not only students or new devs who should watch out, because even ORMs can open up SQL injections.
2 comments
zetaben 3100 days ago
Rails is well know for this. Here is a nice page listing common ones: https://rails-sqli.org/
link
babuskov 3100 days ago
Yeah, before using any ORM I always first check how it inserts the parameter values. If it's a string replacement, you need to be very careful.
link