|
|
|
|
|
|
by awj
5556 days ago
|
|
|
> It is not unreasonable to assert that SQLI defense is a framework concern, not a database issue. Sure, but it is unreasonable to assert that SQLI defense is not also a database issue. Using the provided apis in a way that prevents SQLI is a framework concern. Providing apis that make that possible without re-implementing basic things like escaping is a database concern, otherwise you're just asking people to re-solve the same problems so they each get a chance to screw it up. |
|
|
The SQL Injection vulnerability is, "user coerces application into submitting an unexpected and unauthorized query".
Blaming the database for that is like blaming the filesystem for pathname injection vulnerabilities.
It could, after all, send a Unix signal to a calling process when a filename contained "..", and demand that the process re-assert it's desire to really reference a different directory.
We may be spiraling here. Parameterized queries are a good thing. I'm glad MySQL has them. I'm not, however, going to wag a finger at MySQL every time someone finds an SQLI vulnerability in an app that uses MySQL, just because 6-7 years ago they didn't have parameterized queries. For one thing, it's not a useful comment (do you want them to implement parameterized queries... again?); for another, it's not particularly valid architectural point; and finally, it's really boring.