Episode 8 · Module 3 · App Security

SQL Injection and ORM Safety

18 May 2026 · 10:25 · Security for Legal SaaS

0:00 10:25

First documented in 1998, SQL injection still caused the MOVEit breach that compromised 2,773 organisations in 2023. Alice and Dan explain parameterised queries, ORM escape hatches, second-order injection, and PostgreSQL Row-Level Security as a last-resort containment layer for multi-tenant legal data.

Today’s Lesson

Security for Legal SaaS — Episode 8: SQL Injection and ORM Safety

The Attack That Won’t Die

SQL injection was first documented in 1998. Twenty-eight years later, it remains OWASP’s A03 (Injection) and continues to cause catastrophic breaches. The MOVEit breach of 2023 — CVE-2023-34362, CVSS 9.8 — was a SQL injection that compromised 2,773 organisations. A single injection point. Ninety-five million individuals’ data exposed.

For legal SaaS, SQL injection is existential. Your database contains privileged communications, litigation strategy, client identity, and billing records. An attacker who achieves SQL injection doesn’t just read data — they can modify records, escalate privileges, and in some configurations execute operating system commands.

Key stat: HackerOne's 2023 report found SQL injection in their top 10 most impactful vulnerability categories, with median bounty payouts reflecting its severity.

How SQL Injection Works

The Vulnerable Pattern: String Concatenation

SQL injection exploits the mixing of code and data in database queries. When user input is concatenated directly into a SQL string, the database cannot distinguish between the developer’s intended query structure and attacker-supplied SQL.

# VULNERABLE — never do this
query = f"SELECT * FROM matters WHERE citation = '{user_input}'"

If user_input is ' OR '1'='1:

SELECT * FROM matters WHERE citation = '' OR '1'='1'

The query now returns every row in the table. The attacker has bypassed all access control.

Escalation: From Data Theft to Full Compromise

Injection Type	Technique	Impact
Union-based	`UNION SELECT` to extract data from other tables	Read any table: users, credentials, privileged documents
Error-based	Force database errors that leak information	Enumerate table names, column types, database version
Blind (boolean)	Ask true/false questions, observe response differences	Extract data character by character
Blind (time-based)	Use `SLEEP()` or `WAITFOR` to infer data	Works even when no output difference is visible
Out-of-band	DNS or HTTP requests from the database server	Exfiltrate data through side channels
Stacked queries	Terminate query and start a new one	`DROP TABLE`, `INSERT`, `UPDATE` — full write access

PortSwigger’s SQL injection tutorial demonstrates that even blind injection — where the attacker never sees query output directly — can extract entire databases given enough requests.

Legal SaaS scenario: An attacker finds a blind SQL injection in your case search endpoint. They can't see results directly, but they ask: "Is the first character of the admin's password hash greater than 'M'?" The response time differs by 5 seconds (time-based blind). In 2,000 requests — completed in minutes by automated tools — they have the full admin password hash. With admin access, they read every privileged document in the system.

Parameterised Queries: The Primary Defence

OWASP’s SQL Injection Prevention Cheat Sheet identifies parameterised queries (prepared statements) as the primary defence. They work by separating SQL structure from data at the protocol level:

# SAFE — parameterised query
cursor.execute(
    "SELECT * FROM matters WHERE citation = %s AND tenant_id = %s",
    (user_input, current_tenant_id)
)

The database engine receives the query structure and the parameters separately. The parameter is always treated as data — never as SQL code — regardless of its content. This defence is complete against first-order SQL injection.

What You Cannot Parameterise

Parameters work for values in WHERE clauses, INSERT data, and UPDATE sets. They do not work for:

- Table names

- Column names

- ORDER BY / GROUP BY directions

- SQL keywords and operators

For these, use strict allowlists:

ALLOWED_SORT_COLUMNS = {'filed_date', 'citation', 'status', 'created_at'}
ALLOWED_DIRECTIONS = {'ASC', 'DESC'}

if sort_column not in ALLOWED_SORT_COLUMNS:
    raise ValueError("Invalid sort column")
if direction not in ALLOWED_DIRECTIONS:
    raise ValueError("Invalid sort direction")

query = f"SELECT * FROM matters ORDER BY {sort_column} {direction}"

ORM Safety and Its Limits

Modern ORMs — Prisma, SQLAlchemy, TypeORM, Django ORM — use parameterised queries by default. When you use the ORM’s query builder, you’re generally safe:

// Prisma — safe by default
const matters = await prisma.matter.findMany({
  where: { courtCode: userInput, tenantId: currentTenant }
});

# SQLAlchemy — safe via query builder
matters = session.query(Matter).filter(
    Matter.citation == user_input,
    Matter.tenant_id == current_tenant_id
).all()

The Raw Query Escape Hatch

Every ORM provides a way to execute raw SQL. This is where injection returns:

// Prisma — UNSAFE raw query with string interpolation
const result = await prisma.$queryRawUnsafe(
  `SELECT * FROM matters WHERE citation = '${userInput}'`
);

// Prisma — SAFE raw query with parameters
const result = await prisma.$queryRaw`
  SELECT * FROM matters WHERE citation = ${userInput}
`;

Prisma’s documentation explicitly warns that $queryRawUnsafe accepts arbitrary strings and must never include unsanitised user input. The tagged template literal version ($queryRaw) automatically parameterises.

ORM Safety Rules

Use the query builder for all standard operations
If you must use raw queries, use the parameterised variant
Never interpolate user input into raw SQL strings
Audit raw query usage in code reviews — search for $queryRawUnsafe, text(), .raw()
Lint rules: ESLint custom rules can flag unsafe raw query patterns

Second-Order SQL Injection

First-order injection: malicious input is immediately used in a query. Second-order injection: malicious input is stored safely, then later used unsafely in a different query.

Scenario:

1. A user registers with username: admin'--

2. The registration query uses parameterised statements — safe, value stored as-is

3. Later, an admin panel builds a query: "SELECT * FROM audit_log WHERE username = '" + stored_username + "'"

4. The stored value, retrieved from the database, is now injected into a vulnerable query

OWASP documents second-order injection as particularly insidious because the initial input point appears safe — parameterised queries protect it. The vulnerability exists in a completely different code path that reads the stored value and uses it unsafely.

Defence: Treat all data as untrusted, even data from your own database. Every query that includes any variable data — regardless of its source — must use parameterised statements.

SQL Injection Testing

Manual Testing

PortSwigger’s methodology starts with:

1. Submit a single quote ' and observe error messages

2. Submit boolean conditions (OR 1=1, OR 1=2) and compare responses

3. Submit time-delay payloads ('; WAITFOR DELAY '0:0:5'--) and observe timing

4. Submit OWASP’s SQL injection test strings from the Testing Guide

Automated Testing

Tool	Purpose	Note
sqlmap	Automated SQL injection detection and exploitation	Gold standard for SQLi testing
Burp Suite	Proxy-based web security scanner	Comprehensive scanning including SQLi
OWASP ZAP	Open-source web application scanner	Free alternative to Burp

Code-Level Prevention

Static analysis tools can identify vulnerable patterns before deployment:

- Semgrep rules for raw SQL detection

- SonarQube SQL injection detection

- CodeQL queries for taint analysis (tracking user input to SQL queries)

Database-Level Hardening

Even with perfect parameterisation, defence in depth requires database-level controls:

Control	Purpose
Principle of least privilege	Application DB user has only SELECT/INSERT/UPDATE on required tables — never DROP, CREATE, or sys admin
Separate read/write credentials	Read-only endpoints use read-only DB credentials
Stored procedures	Encapsulate complex queries; restrict direct table access
Row-level security	PostgreSQL RLS enforces tenant isolation at the database level
Query logging	Log all queries for anomaly detection

For multi-tenant legal SaaS, PostgreSQL Row-Level Security provides a particularly strong defence. Even if an injection occurs, the database itself enforces that queries can only return rows belonging to the current tenant — a last-resort containment.

Conclusion

SQL injection is a solved problem at the code level — parameterised queries eliminate it entirely for value-position injection. Yet it persists because developers use raw queries for “just this one complex case,” because ORMs offer unsafe escape hatches, and because second-order injection hides in code paths nobody thought to check. Use the ORM. Parameterise the exceptions. Treat stored data as untrusted. Test regularly.

Next episode: Cross-Site Scripting (XSS) — when the attacker’s code runs in your users’ browsers, with access to their sessions, their documents, and their privileged data.

Alice: Welcome back to Security for Legal SaaS. I’m Alice.

Dan: And I’m Dan. Episode 8 — SQL Injection and ORM Safety. Alice, this is a vulnerability that was first documented in 1998. Are we really still talking about it in 2026?

Alice: We are, because it’s still causing catastrophic breaches. MOVEit, 2023. A single SQL injection — CVE-2023-34362 — a CVE is a Common Vulnerabilities and Exposures identifier, the standard way security flaws are catalogued — severity score 9.8 out of 10 — compromised 2,773 organisations and exposed 95 million people’s data. It’s a solved problem at the code level. The fix has existed for two decades. And it keeps happening because developers take shortcuts.

Dan: So explain the mechanics. How does injecting SQL actually work?

Alice: It exploits a fundamental flaw in how many applications build database queries — a database query is the instruction your application sends to its database to retrieve or modify data, written in SQL, Structured Query Language. If you construct a SQL query by concatenating user input directly into the query string, you’re mixing code and data. The database can’t tell where your intended query ends and the attacker’s additions begin.

Dan: Give me a concrete example in a legal context.

Alice: You have a case search endpoint. A lawyer types a citation into a search box, and your backend builds a query: "SELECT FROM matters WHERE citation equals" — and then you paste in whatever the user typed, wrapped in quotes. If the user types a normal citation, it works fine. But if they type: single-quote, space, OR, space, ’1’ equals ’1’ — now your query says "select all matters where citation equals empty string OR one equals one." One always equals one. The query returns every matter in the database.

Dan: Every matter. Across all tenants?

Alice: If your tenant isolation is only enforced at the application layer and not in the query itself, yes. Every client’s privileged documents, litigation strategy, billing records. Returned in one query.

Dan: That’s the simple case. What about the more sophisticated versions?

Alice: Blind injection is the scary one. The attacker can’t see query results directly — maybe the endpoint only returns "found" or "not found." So they ask binary questions. "Is the first character of the admin password hash greater than M?" If the response comes back in 100 milliseconds, the answer is no. If it takes 5 seconds — because they added a conditional sleep command — the answer is yes. With automated tools like sqlmap — an open-source tool purpose-built for exploiting SQL injection — they extract entire databases this way. Character by character. It takes minutes, not hours.

Dan: OK, so the fix. Parameterised queries.

Alice: The fix is absolute and it’s been available since the late nineties. A parameterised query separates the SQL structure from the data at the protocol level. You write the query with placeholders — question marks or named parameters — and pass the user’s input separately. The database engine receives them as two distinct things. The parameter is always treated as a data value, never as SQL code. No matter what characters it contains, it cannot alter the query structure.

Dan: And modern ORMs — Object-Relational Mappers, as we covered in episode seven — do this automatically?

Alice: When you use the ORM’s query builder, yes. Prisma’s findMany, SQLAlchemy’s filter method, Django’s ORM — they all generate parameterised queries under the hood. If you write prisma.matter.findMany where courtCode equals userInput, that’s safe. The ORM parameterises it.

Dan: So why does injection still happen if ORMs prevent it?

Alice: Because every ORM has an escape hatch. Prisma has $queryRawUnsafe. SQLAlchemy has text() with string formatting. Django has .raw() and .extra(). These exist for complex queries the query builder can’t express — window functions, recursive CTEs — Common Table Expressions, a way to build complex queries in stages — full-text search with custom ranking. Developers reach for them, and then they concatenate user input because it’s faster than figuring out the parameterised syntax.

Dan: That makes sense. So the rule for code review is — search for those escape hatches?

Alice: Exactly. In a Prisma codebase, grep for $queryRawUnsafe. In SQLAlchemy, look for text() combined with f-strings or .format() — both are Python ways of pasting variables directly into strings, which is exactly what you don’t want near a database query. In Django, search for .raw() and .extra(). Every instance should be examined for user input flowing into the string. Static analysis tools — programs that scan your source code for vulnerabilities without running it — like Semgrep can automate this with taint tracking rules, which follow data flow from untrusted input to sensitive operations.

Dan: You mentioned something called second-order injection in the research. That’s a nastier variant?

Alice: Much nastier because the injection point and the vulnerability are in different code paths. Here’s the scenario: a user registers with the username "admin single-quote dash dash." Your registration code uses parameterised queries — perfectly safe. The value is stored as-is in the database. Six months later, someone writes an admin panel that builds an audit log query by reading usernames from the database and concatenating them. That stored username is now injected into a vulnerable query. The original input point was safe. The vulnerability is in completely different code that reads from the database.

Dan: That’s terrifying. How do you defend against it?

Alice: The principle is: treat all data as untrusted, including data from your own database. Every query that includes variable data must use parameterised statements, regardless of where that data originated. "It came from our own database" is not a safety guarantee. It came from user input at some point.

Dan: What about database-level defences? Is there anything beyond parameterised queries?

Alice: Defence in depth. First — principle of least privilege. Your application’s database user should have only the permissions it needs. SELECT, INSERT, UPDATE on specific tables. Never DROP, CREATE, or system admin privileges. If injection occurs, the attacker is constrained by the user’s permissions. Second — for multi-tenant legal SaaS, PostgreSQL Row-Level Security — RLS for short. You define policies at the database level that restrict which rows each user can see. Even if an injection bypasses your application code, the database itself enforces tenant isolation.

Dan: That’s a genuine safety net. Even a successful injection can’t cross tenant boundaries.

Alice: Correct. The application sets a session variable identifying the current tenant, and the RLS policy filters every query. An attacker who achieves injection can only access their own tenant’s data — which they already had access to. It’s not a replacement for parameterised queries, but it’s a critical containment layer.

Dan: How should teams test for SQL injection?

Alice: Three levels. First, automated scanning — tools like sqlmap, Burp Suite, or OWASP ZAP, which are specialised security testing tools that probe your application for vulnerabilities — against your staging environment. They’ll find the obvious cases. Second, code review with static analysis — Semgrep or CodeQL rules that track data flow from API inputs to raw query functions. Third, manual testing on high-value endpoints. Submit a single quote and watch the error response. Submit boolean conditions and compare responses. Submit time-delay payloads and measure response times. Any variation means potential injection.

Dan: And the error messages matter too, right? You don’t want to leak database details.

Alice: Never expose raw database errors to users. A stack trace showing "PostgreSQL error near character 47" tells the attacker exactly where their injection syntax broke. Return generic error messages to the client. Log detailed errors server-side for your team.

Dan: So the summary: parameterised queries prevent first-order injection completely, ORMs provide this by default but have escape hatches that reintroduce risk, second-order injection requires treating even database-sourced data as untrusted, and row-level security provides containment if everything else fails.

Alice: And the uncomfortable truth: this is a completely solved problem. Every breach from SQL injection in 2026 is a choice someone made to skip the established, well-documented, universally available defence.

Dan: Next episode — Cross-Site Scripting. When the attacker’s code runs in your users’ browsers. Different injection target, same devastating consequences.

Alice: Until then, I’m Alice.

Dan: And I’m Dan.

Alice: Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.

Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.