[AccessD] oT Friday; amused easily

Arthur Fuller artful at rogers.com
Fri Oct 14 14:11:45 CDT 2005 

I just posted a reply, not directly to this article but to the general
notion that sprocs are safer than dynamic SQL. That is my story and I am
sticking to it! 
And thanks to you for your kind words, and to all others on this list who
took the time to read it. You boost my hit-count and that makes me look good
to the publisher! Thanks!

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence
Sent: October 14, 2005 2:08 AM
To: 'Access Developers discussion and problem solving'
Subject: [AccessD] oT Friday; amused easily

I had been scanning through the 'Simple Talk Blog' where Arthur's great
article is and was amazed (and amused) at one particular write up. The
article was called 'To SP or not to SP in SQL Server' at
http://www.simple-talk.com/2005/04/11/to-sp-or-not-to-sp-in-sql-server/ 

The writer is debating the general consensus that says Stored Procedures are
safer that passing full sequel calls to a server.... and here I quote:

<quote>
One of the most damaging arguments raised in defense of SPs is that they
somehow magically prevent SQL injection attacks
(http://www.unixwiz.net/techtips/sql-injection.html). From Rob's post:

Additionally, stored procedures are a counter-measure to dangerous SQL
Script injection attacks, a susceptibility that applications using embedded
SQL are more vulnerable to.

Sorry, but this is just not true. Using SPs make it more likely that you
will pass parameters the right way, but there is no guarantee. For instance,
this is some code I recently read answering a question on
http://www.asp.net:
<unquote>

...And then the example proving that SPs are not safer...

<quote>
strsql = "EXECUTE findtitle '" & textboxtitle.text & "'"
objCmd = New SqlCommand(strSQL, objConn) 
<unquote>

Unbelievable. Does using an ADO command method imply a SP?? After that I
could take nothing seriously in the article but I had a good laugh :-)

Hope this amuses someone else.
(...working too long)
Jim  

-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

More information about the AccessD mailing list