David McAfee
davidmcafee at gmail.com
Tue Jul 28 16:35:14 CDT 2009
True, but I'd say most (but not all) people that are using dynamic SQL aren't sanitizing their inputs from users. If the front end is designed to only use listboxes and list limited comboboxes, then why not send only their numeric IDs as stored procedure input parameters? It would be a lot less data going back to the server. Drew was just asking why 'dynamically constructed' SQL statement is such a sore subject. On Tue, Jul 28, 2009 at 1:59 PM, Stuart McLachlan <stuart at lexacorp.com.pg>wrote: > I keep hearing this same old mantras: > > 1. Dynamic construction = SQL injection. > > Cr*p! ( if you'll pardon my french) > > Dynamic construction = SQL injection IF AND ONLY IF: > > a. You take text input from your user as part of the construction > b. You do not sanitize the text. > > There's no way that you are exposed to SQL injection if you base your SQL > statement on > such the current content of OptionBoxes, ListLimited ComboBoxes, selections > in Listboxes > etc,ect. > > 2. Dynaic SQL isn't optimised. > > Big deal! > > Design your indexes properly and what's the real performance difference > between: > > "myProcedure Param1, Param2, Param3" > and > "Select ,,,,,, from myTable where .. Param1 and .... Param2 ,,,, and Param3 > order by ....." > > > -- > Stuart > > On 28 Jul 2009 at 10:05, David McAfee wrote: > > > Because it opens its self up to SQL injection. > > > > Also dynamic SQL isn't optimized. > > > > On Tue, Jul 28, 2009 at 7:16 AM, Drew Wutka <DWUTKA at marlow.com> wrote: > > > > > Why is 'dynamically constructed' SQL statements such a sore subject? > > > > > > This is a little bit of a shocker to me. > > -- > AccessD mailing list > AccessD at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/accessd > Website: http://www.databaseadvisors.com >