If your security strategy relies on one or two security controls, you're doomed most of the time.
We've added SQL filtering as a defense-in-depth measure, having a convenient seat in the architecture, complementing every other mitigation measure proper application developers and DBAs should be doing (and frequently get wrong).
We've added SQL filtering as a defense-in-depth measure, having a convenient seat in the architecture, complementing every other mitigation measure proper application developers and DBAs should be doing (and frequently get wrong).
Even ORMs get bypassed once in a while:
- https://github.com/mysqljs/mysql/issues/342 - https://github.com/sequelize/sequelize/issues/5671 - (okay, we can avoid this one by saying nothing "nothing proper exists in NodeJS world) https://bertwagner.com/2018/03/06/2-5-ways-your-orm-will-all...
Dumb concatenation can nullify the merit of quite advanced ORM: copybook example of misusing Ruby's ActiveRecord (is that proper enough) got as far as OWASP testing guide: https://www.owasp.org/index.php/Testing_for_ORM_Injection_(O...
Prepared statements are cooked wrong as well, but rarely, that's why they are viable line of defense, but not the sole one (as nothing should be):
https://www.reddit.com/r/netsec/comments/ww9qm/sqli_bypassin... https://stackoverflow.com/questions/134099/are-pdo-prepared-...
(in fact, I've seen with my eyes exactly what first comment in reddit postmentions).