Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
camdenreslink 2 days ago

I don't think strong development teams are still letting SQL injection vulnerabilities through by manually concatenating strings to build queries with user-provided data. Not in the year 2026.

voxic11 2 days ago | parent | next [-]

Keep in mind this project is a 25 year old PHP application.

zarzavat 2 days ago | parent [-]

That actually makes it more confusing since a 25 year old PHP application is exactly where you'd expect to find SQL injection vulnerabilities.

If I were in charge of a 25 year old PHP application, tracking down every SQL query and converting it to a safe form would high on my list of priorities. You don't need AI for that, just ripgrep and a basic amount of care for your users.

whythismatters 2 days ago | parent | next [-]

Most (proprietary) 25 year old PHP codebases I've seen are a huge mess riddled with issues, exuberant loc, mix of tabs and spaces and weird indentation, dry violations, slightly diverging code blocks copy-pasted all over the place, etc., etc. Resolving technical debt (let alone reviewing the "stuff that works" like SQL queries) is often low priority because it's tedious and does not create any "business value".

otabdeveloper4 2 days ago | parent | prev [-]

Replacing/automating manual ripgrep is a top-1 use case for AI though.

pseudalopex 2 days ago | parent [-]

Their point was a competent team would have done this since 10 or 20 years I thought.

simonw 2 days ago | parent | prev | next [-]

Good frameworks can protect against SQL injection and XSS (through default escaping of output variables) but protecting against insecure direct object access is a lot harder.

tdeck a day ago | parent | prev | next [-]

Last time I had to build an ORDER BY clause in MySQL, it didn't support query parameters in prepared statements, which is probably how this happens. It's not an excuse at all but the standard path of "just throw a ? (or whatever) in there and use bound params" doesn't work for order by (or at least it didn't at some time in the recent past). You would end up having to concatenate strings somehow or other.

IshKebab 2 days ago | parent | prev [-]

Yeah this is a huge red flag that would make me avoid this project for sure.

Unfortunately you have no easy way of checking if closed source projects are similarly amateur.