from Hacker News

Preventing SQL Injections When WAF’s Not Enough

by ninegunpi on 2/13/19, 3:47 PM with 13 comments

• by dullgiulio on 2/13/19, 7:07 PM

  Umh, this article is dubious.

  1. If your WAF can be fooled by adding a X-Forwarded-For header, trouble ahead.

  2. If your security strategy is about mitigating attacks where the payload matches some regular expressions, trouble ahead. Machine learning? Double trouble ahead.

  3. If you don't write only completely static queries[1] to then use as prepared statements or use a proper ORM[2] when using a SQL database, trouble ahead.

  [1] https://www.akadia.com/services/dyn_modify_where_clause.html

  [2] Like linq, jOOQ...

• by all_blue_chucks on 2/13/19, 7:10 PM

  WAF's are never good enough. They're a weak band-aid used by companies who lack the expertise to find and fix security bugs in their own code.

• by ris on 2/13/19, 9:37 PM

  This is an advertisement.

• by moutix on 2/14/19, 9:22 PM

  That's why we now have RASP. It's better than SQL proxy and WAF, because you have both the SQL query and the HTTP parameters and you can correlate them to be super accurate