Hacker News new | ask | show | jobs
by jeltz 4909 days ago
The problem is that ORMs like ActiveRecord really are just domain specific languages for building queries. If these DSLs use inband are carelessly constructed (e.g. they use some form of inband signaling) you can do the injection attack against the actual ORM code and make it build queries the author of the code did not intend.
1 comments
sontek 4908 days ago
http://sqlalchemy.org/ is an ORM and does not have these security issues. So it can be done.
link
qxcv 4908 days ago
Searching for "sqlalchemy sql injection" brings up this: https://bugzilla.redhat.com/show_bug.cgi?id=783305
link
jeltz 4908 days ago
I did not say otherwise. I said that ORMs may be vulnerable if they are carelessly constructed.
link