Hacker News new | past | comments | ask | show | jobs | submit login

That's exactly what defines SQLi. Incorrect filtering of user data is precisely the reason why SQLi is a vulnerability.

The better way to defend against SQLi would be to use proper quoting/prepared statements, instead of trying to play whack-a-mole by filtering and limiting the content of the input strings.

Correct, but that doesn't make the statement of the causes for SQLi any different.

Incorrect handling I'd say. If you're filtering apostrophes from your user input you're doing it wrong.

This is a semantic quibble. Your point could be restated as, "if you're not filtering potentially dangerous data out of your SQL queries (i.e. you're not using a fixed vocabulary of properly-quoted phrases) then you are vulnerable to SQLi."

think of it this way: no matter how you slice it, there are Bad Things you need to keep out of your SQL, and an easy layperson term for doing so is 'filtering'.

Recall that 'filter' != regexp.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact