Comment by hsbauauvhabzb

If there are type confusion bugs related to SQL statements, I think SQL injection is likely to exist, if not some other super nasty bugs will eclipse it.

You can waste 10k paying someone to look at it or you could not waste your money, but I’d be fucked before I sign off on a system with those kinds of bugs as being secure, evidence or not. Someone higher up can accept that risk, but I’d rather not be liable when it’s breached or catastrophically damaged because some kid changed their last name to an SQL injection payload.

And yes, I’ve checked, in my country unpronounceable names are not permitted, otherwise I’d have one. There are existing case studies of this, iirc in the UK.