[untog]

Er, why can't the ORM use paramaterised queries?

[jeltz]

The problem is that ORMs like ActiveRecord really are just domain specific languages for building queries. If these DSLs use inband are carelessly constructed (e.g. they use some form of inband signaling) you can do the injection attack against the actual ORM code and make it build queries the author of the code did not intend.

[sontek]

http://sqlalchemy.org/ is an ORM and does not have these security issues. So it can be done.

[qxcv]

Searching for "sqlalchemy sql injection" brings up this: https://bugzilla.redhat.com/show_bug.cgi?id=783305

[jeltz]

I did not say otherwise. I said that ORMs may be vulnerable if they are carelessly constructed.