• trxxruraxvr@lemmy.world
    link
    fedilink
    arrow-up
    10
    ·
    8 个月前

    Every modern database library automatically protects against SQL injection,

    No. Every modern library allows using prepared statements, but very few (of any) force using them. If the developer doesn’t use them the libraries won’t do shit to protect you.

    • dan@upvote.au
      link
      fedilink
      arrow-up
      1
      arrow-down
      2
      ·
      edit-2
      8 个月前

      What I meant is that not many people write raw SQL in product code any more, other than for analytical purposes (which are often in a system like Apache Airflow rather than in product code). ORM systems have mostly taken over except for cases where you really need raw SQL for whatever reason.

      • psud
        link
        fedilink
        arrow-up
        2
        ·
        8 个月前

        Practically every dev learnt SQL and it’s really easy to put hands crafted SQL in code so it’s an easy mistake to make