"System owner, we need to spend $10K to sanitise requests or a kid can destroy our business overnight".
"System owner, we need to spend $10K to clean up the database and code so that null and "null" are not the same thing, even though it works 99.99% of the time".
If there are type confusion bugs related to SQL statements, I think SQL injection is likely to exist, if not some other super nasty bugs will eclipse it.
You can waste 10k paying someone to look at it or you could not waste your money, but I’d be fucked before I sign off on a system with those kinds of bugs as being secure, evidence or not. Someone higher up can accept that risk, but I’d rather not be liable when it’s breached or catastrophically damaged because some kid changed their last name to an SQL injection payload.
And yes, I’ve checked, in my country unpronounceable names are not permitted, otherwise I’d have one. There are existing case studies of this, iirc in the UK.
> You can make a good case to spend time sanitising requests
> In most cases, it's not your system, though
You can’t pick and chose whether you own a system or not when presented with an opposing argument. That’s not how this works.
"System owner, we need to spend $10K to sanitise requests or a kid can destroy our business overnight".
"System owner, we need to spend $10K to clean up the database and code so that null and "null" are not the same thing, even though it works 99.99% of the time".
Do you see the difference?
If there are type confusion bugs related to SQL statements, I think SQL injection is likely to exist, if not some other super nasty bugs will eclipse it.
You can waste 10k paying someone to look at it or you could not waste your money, but I’d be fucked before I sign off on a system with those kinds of bugs as being secure, evidence or not. Someone higher up can accept that risk, but I’d rather not be liable when it’s breached or catastrophically damaged because some kid changed their last name to an SQL injection payload.
And yes, I’ve checked, in my country unpronounceable names are not permitted, otherwise I’d have one. There are existing case studies of this, iirc in the UK.