top | item 15977559

(no title)

amatera | 8 years ago

Some weeks ago an experience developer said to me: "Parameterize a query? Since years i don't care about it, because ORMs like Doctrine or Sequelize take care of that"... So it's not only students or new devs who should watch out, because even ORMs can open up SQL injections.

discuss

zetaben|8 years ago

Rails is well know for this. Here is a nice page listing common ones: https://rails-sqli.org/

babuskov|8 years ago

Yeah, before using any ORM I always first check how it inserts the parameter values. If it's a string replacement, you need to be very careful.