Comment by valenterry
2 months ago
I mean, there are still different reputations for certain techniques. And SQL sanitization has a bad reputation for good reasons. But SQL parsing, whitelisting and then reserialization still has a bad reputation in the eyes of many people, but that's only because they don't understand the difference between the two.
No one would say "parsing json is broken if it's not tested" right? Then for SQL the same would be true.
So if you were to use this technique in a business that doesn't mandate regular pentests, it would not change how well the technique works and how secure/safe it is.
Is the parser available for review?
In my case yes, I use an OSS library that is based on Scala's (a bit outdated) parser combinators (https://github.com/scala/scala-parser-combinators). So the parsing part is not actually written by hand, the library only defines the keywords, the precedence etc.