• r00ty@kbin.life
    link
    fedilink
    arrow-up
    10
    ·
    9 months ago

    Well no. If the programmer uses prepared statements, they are protected. If they use a prepared statement but actually just put their own unsanitized statement in there and execute it, it’s not protected.

    Now, I’d like to say it is 2024 and everyone should be using AT LEAST prepared statements for security. I’ve seen people doing some scary things in my time, and that includes quite recently.

    • dan@upvote.au
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      Bad developers will do bad things, but most DB framework documentation points people towards the right way to do things, which is why I said it’s not common any more.

      • Dr. JenkemA
        link
        fedilink
        English
        arrow-up
        6
        ·
        9 months ago

        Bad developers are common though. And good documentation won’t stop a bad developer from doing a bad thing.

        I agree that SQLi isn’t as common as it once was, but it still very much exists.