[AccessD] oT Friday; amused easily

David McAfee dmcafee at pacbell.net
Fri Oct 14 01:34:15 CDT 2005 

First of all, by allowing the use of SPs, a developer should not allow
anyone to have direct access to tables.
There is no way that a system that is fully unsecured and allows any general
SQL statement to execute is good practice. Whenever any text parameters are
passed as input parameters, they should be checked for invalid characters
and/or words (', ;, -, SELECT, DROP, TRUNCATE, DELETE, ALTER).

This guy assumes that nobody implements security, even when using SPs. He is
wrong.

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com]On Behalf Of Jim Lawrence
Sent: Thursday, October 13, 2005 11:08 PM
To: 'Access Developers discussion and problem solving'
Subject: [AccessD] oT Friday; amused easily


I had been scanning through the 'Simple Talk Blog' where Arthur's great
article is and was amazed (and amused) at one particular write up. The
article was called 'To SP or not to SP in SQL Server' at
http://www.simple-talk.com/2005/04/11/to-sp-or-not-to-sp-in-sql-server/

The writer is debating the general consensus that says Stored Procedures are
safer that passing full sequel calls to a server.... and here I quote:

<quote>
One of the most damaging arguments raised in defense of SPs is that they
somehow magically prevent SQL injection attacks
(http://www.unixwiz.net/techtips/sql-injection.html). From Rob's post:

Additionally, stored procedures are a counter-measure to dangerous SQL
Script injection attacks, a susceptibility that applications using embedded
SQL are more vulnerable to.

Sorry, but this is just not true. Using SPs make it more likely that you
will pass parameters the right way, but there is no guarantee. For instance,
this is some code I recently read answering a question on
http://www.asp.net:
<unquote>

...And then the example proving that SPs are not safer...

<quote>
strsql = "EXECUTE findtitle '" & textboxtitle.text & "'"
objCmd = New SqlCommand(strSQL, objConn)
<unquote>

Unbelievable. Does using an ADO command method imply a SP?? After that I
could take nothing seriously in the article but I had a good laugh :-)

Hope this amuses someone else.
(...working too long)
Jim

--
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

More information about the AccessD mailing list