• trxxruraxvr@lemmy.world
    link
    fedilink
    arrow-up
    10
    ·
    8 months ago

    Every modern database library automatically protects against SQL injection,

    No. Every modern library allows using prepared statements, but very few (of any) force using them. If the developer doesn’t use them the libraries won’t do shit to protect you.

    • danA
      link
      fedilink
      arrow-up
      1
      arrow-down
      2
      ·
      edit-2
      8 months ago

      What I meant is that not many people write raw SQL in product code any more, other than for analytical purposes (which are often in a system like Apache Airflow rather than in product code). ORM systems have mostly taken over except for cases where you really need raw SQL for whatever reason.

      • psud@aussie.zone
        link
        fedilink
        arrow-up
        2
        ·
        8 months ago

        Practically every dev learnt SQL and it’s really easy to put hands crafted SQL in code so it’s an easy mistake to make