Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's easy to do in any language/framework which accepts raw strings as SQL input. Which is pretty much all of them, except for ORMs and similar (and even those usually have an escape hatch, which sufficiently lazy/clueless developers can and will find eventually).

If a raw string is allowed, then the standard facilities - string concatenation, formatting etc - can be used to write injection-vulnerable code.

The only mitigation that does not require educating the end developers is to completely banish strings from the API, and require everything to go through a DSL layer instead. Said layer can then ensure that all values are properly quoted and/or parametrized prepared statements are used as needed.



"Said Leopard to Baviaan (and it was a very hot day), "Where has all the game gone?"

And Baviaan winked. He knew.

Said the Ethiopian to Baviaan, "Can you tell me the present habitat of the aboriginal Fauna?" (That meant just the same thing, but the Ethiopian always used long words. He was a grown-up.)"




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: