Injection Attacks Are Not Dead: SQL, NoSQL, ORM, and Command Injection — How to Actually Fix Them…

1 / 4

Injection Attacks Are Not Dead: SQL, NoSQL, ORM, and Command Injection — How to Actually Fix Them (2026)

DEV Community·Mahdi SHamlou | مهدی شاملو·23 days ago

#oBiWJ312

#injection #sql #nosql #security #fullscreen #user

Reading 0:00

15s threshold

Mahdi Shamlou here. “Mahdi, I finally launched my e‑commerce site. And don’t worry — I used MongoDB, so no SQL injection. You can’t hack it.” I laughed. Then I asked him to let me try. Within 10 minutes, I bypassed his login with a NoSQL injection and pulled out his entire user collection. His face went pale. Moral of the story: “No SQL” does NOT mean “no injection”. Injection is a whole class of attacks — SQL, NoSQL, ORM, command, LDAP, you name it. If you concatenate user input into any kind of query or system command, you’re likely vulnerable. In this guide, I’ll show you: How I hacked my friend’s NoSQL login (and how to fix it). Classic SQL injection — still alive and well. How even an ORM like SQLAlchemy can betray you if you misuse it. Command injection that gives attackers a shell on your server. Actual code fixes + tools to find these bugs automatically. Let’s dive in. The Story: “But I Use NoSQL!…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

Injection Attacks Are Not Dead: SQL, NoSQL, ORM, and Command Injection — How to Actually Fix Them (2026)