> It also makes it so easy to create opportunities for SQL injection if you don'... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

phartenfeller 5 months ago | parent | context | favorite | on: Rails is better low code than low code

> It also makes it so easy to create opportunities for SQL injection if you don't have careful coders.

This is not the case. If you bind values with :ITEM_NAME and use compiled statements (never dynamic string concatenated ones with "execute immediate') there is no chance of SQL injection.

forinti 5 months ago [–]

You can set items from the URL, which you usually can't do with most web frameworks. Of course you can enable Session State Protection, but you have to be vigilant.

You can also inadvertently leave a page public.

Consider applying for YC's Summer 2025 batch! Applications are open till May 13
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact