top | item 24522876

(no title)

I hate these kind of defenses. If your application is vulnerable to sqli, select is one of many tools an attacker can use and you’re pretty much screwed anyway.

Instead, use sane tooling, like modern ORMs and parameter izers, with some data sanitation if you’re really paranoid.

discuss

hombre_fatal|5 years ago

> Instead

You're misunderstanding the market.

The point of Cloudflare WAF isn't to be a main line of defense for HN readers, it's to stop the low effort automated drive-by attacks for websites that were already hosed. Like WAFs that block /wp-admin/* and instead generate a new segment.

I'd be surprised if there was a single person in the world who is going to go "oh right I should replace Cloudflare WAF and my sqli with some parameterized queries!"

Bnshsysjab|5 years ago

I think ‘stop wasting time on dumb stuff and focus on actual security’ is a good take home for the HN crowd. Time and money is finite, so spend it wisely.

btown|5 years ago

It's also "Hey the superstar on the sales team just launched a new Wordpress blog that everyone likes, just wanted to let you know" and you have no time for a detailed security audit. Put it behind Cloudflare and at least you're more protected than you were!

z3t4|5 years ago

So basically you say that those who care about security and sound engineering practices should quit software development, because it's a lost cause?