▲ | RKFADU_UOFCCLEL 2 months ago | ||||||||||||||||
What? If I construct my queries the right way (e.g., not concatenating strings together like it's the year 1990), then I never will want a WAF "helping" me by blocking my users because they have an apostrophe in their name. | |||||||||||||||||
▲ | p_ing 2 months ago | parent | next [-] | ||||||||||||||||
That's a very narrow view of what a WAF does. You may want to review the OWASP ruleset at https://coreruleset.org/. However, this is just the ruleset. WAF vendors usually offer features above and beyond OWASP rule parsing. And WAF rules can be tuned. There's no reason an apostrophe in a username or similar needs to be blocked, if it were by a rule. | |||||||||||||||||
| |||||||||||||||||
▲ | patrakov 2 months ago | parent | prev [-] | ||||||||||||||||
> If I construct my queries the right way (e.g., not concatenating strings together like it's the year 1990)... (in the anti-WAF camp but playing a pedant here) In your Django app, you indeed follow the best practices and don't concatenate strings together and so think that this security theater doesn't apply. Yet, this is precisely how Django ORM works under the hood, and SQL injections are periodically found there. The real solution here is to subscribe to the django-announce list and update Django, or backport the fix manually. |