Enhance ASVS V1.2.4 to address misinterpretation of ORM safety regarding dynamic queries

[ajayojha]

trafficstars

As discussed in https://github.com/OWASP/ASVS/discussions/3193, I am opening this issue to formally track the proposal related to Database Queries.

Following the discussion, here is the final proposal:

1.2.4: Database Queries

The Statement: "Verify that data selection or database queries (e.g., SQL, HQL, NoSQL, Cypher) use parameterized queries, ORMs, entity frameworks, or are otherwise protected from SQL Injection..." Why it needs explanation: This rule is excellent, but developers often assume that simply using an ORM makes them immune. They fail to understand that injecting user input into methods that construct the query structure itself reintroduces SQL injection. Recommendation: The explanation should explicitly state: " Verify that data selection or database queries (e.g., SQL, HQL, NoSQL, Cypher) use parameterized queries, ORMs, or entity frameworks. Additionally, ensure that any user input used to construct or modify the structure of a query (e.g., table names, field names, ORDER BY clauses) is validated against a strict allow-list."