Prevent SQL injection in your ORM

By André Jaenisch on 17.01.2023. About 1 minute reading time. This text is estimated to be very confusing to understand.

I was browsing the Snyk Vulnerability database the other day to see
whether I could find some incidents that I could learn from. I was
surprised to see an SQL injection flagged as introduced that
referred to a fix in 2018.

Now, this project called nodebatis appears to be a Chinese
ORM that focusses solely on MySQL. I like those patterns myself because it
saves me from maintaining SQL. The tradeoff here is the lack of optimisations.

SQL is often used with relational databases to insert data into or pull
information out of those databases. Very powerful but not everybody’s darling.

The challenge here is the handling of input from outside the application (say,
via a web form) that needs some validation because a bad actor might be able
to either query more information that you intended to - or wreak havoc.
If you haven’t heard of Exploits of a Mom I encourage you to take a
look at it. I’ll wait.

Back? Great!

Now, studying the commit fixing this SQL injection introduced me to
another package called sqlstring. This does some replacement on
strings to sanitize data.

Speaking of, if you are curious on how SQL injection could look like I can
point you towards big list of naughty strings which have some examples.
Be aware that it could destroy data, so don’t use it on a production database!
You have been warned.

Do you use an ORM? Have you looked whether it is safe against injection attacks?
This blog receives WebMentions, so link to it and I will notice.

If you want me to take a look at your ORM, drop me a line.