Aren't nearly all injection vulnerabilities countered by using parameterized queries? Hasn't that been the standard for many years now? I'm curious how often you've successfully employed SQL injection in production environments recently.
Developers still have to actively use parameterized queries in order for them to work. Just being a standard isn't enough (something something...nobody follows standards). In other cases, even if developers are using parameterized queries in recent code, if the application is using legacy code, SQL injections may still exist there. I found over 100 SQL injections in 2023 alone.
Cant this be negated by using the functions that will escape special chars?? And cant we make our own function if it comes down to it to sterlize " and ' into html hex counterparts from the ascii table?
Are you talking about ways to mitigate SQL injection itself? If so, prepared statements are the recommended way to go rather than manually escaping / sanitizing characters.
