My recent article about SQL injection has stirred some serious emotions on JCG. I don’t want to keep it from you! An extract:
[…] The idea that if I use an ORM, my SQL injection woes will magically go away is f***ing harmful, shortsighted, and anybody who thinks that should be kicked squarely in a sensitive region. […]
And if you’ve survived that kick…
[…] Since there is no SQL statement, things like “‘a’; TRUNCATE your_mom” get stored/selected from as exactly that […]
And if your mom has survived truncation, too:
[…] ORM still won’t save you. Validate your god-d*** f***ing inputs, jack-a**.
So please, sanitise your code, or the angry man will come and get you!! :)
http://www.javacodegeeks.com/2012/07/database-abstraction-and-sql-injection.html#comment-603438572