| If your security strategy relies on one or two security controls, you're doomed most of the time. We've added SQL filtering as a defense-in-depth measure, having a convenient seat in the architecture, complementing every other mitigation measure proper application developers and DBAs should be doing (and frequently get wrong). Even ORMs get bypassed once in a while: - https://github.com/mysqljs/mysql/issues/342
- https://github.com/sequelize/sequelize/issues/5671
- (okay, we can avoid this one by saying nothing "nothing proper exists in NodeJS world)
https://bertwagner.com/2018/03/06/2-5-ways-your-orm-will-all... Dumb concatenation can nullify the merit of quite advanced ORM: copybook example of misusing Ruby's ActiveRecord (is that proper enough) got as far as OWASP testing guide: https://www.owasp.org/index.php/Testing_for_ORM_Injection_(O... Prepared statements are cooked wrong as well, but rarely, that's why they are viable line of defense, but not the sole one (as nothing should be): https://www.reddit.com/r/netsec/comments/ww9qm/sqli_bypassin...
https://stackoverflow.com/questions/134099/are-pdo-prepared-... (in fact, I've seen with my eyes exactly what first comment in reddit postmentions). |