Key findings:
- Interface Hazards (design-transferred risks) outnumber Implementation Defects 3:1 - 79% of SQL injection occurs downstream of the database engine - ORMs—built specifically to fix this—still fail at 88%
The formal proof (Section 1.1) shows string concatenation is non-composable with parsing. Injection isn't a bug to patch; it's a mathematical property of the interface.
Section 1.2 makes the comparison to W^X: operating systems enforce code/data separation at the hardware level. Databases violate it at the application level. We regressed.
Full methodology is auditable via API. Data and code in the repo.
Happy to answer questions.
How so? The only way to do anything dangerous using any orm I've used was when I needed to do something orm doesn't support and I had to extend it, operating at a text layer (custom db syntax or non-standard sql extension). 99% of sql users wouldn't event know how to get there.