• @[email protected]
    link
    fedilink
    108 months ago

    Every modern database library automatically protects against SQL injection,

    No. Every modern library allows using prepared statements, but very few (of any) force using them. If the developer doesn’t use them the libraries won’t do shit to protect you.

    • @[email protected]
      link
      fedilink
      1
      edit-2
      8 months ago

      What I meant is that not many people write raw SQL in product code any more, other than for analytical purposes (which are often in a system like Apache Airflow rather than in product code). ORM systems have mostly taken over except for cases where you really need raw SQL for whatever reason.

      • @[email protected]
        link
        fedilink
        28 months ago

        Practically every dev learnt SQL and it’s really easy to put hands crafted SQL in code so it’s an easy mistake to make