[AccessD] oT Friday; amused easily

Jim Lawrence accessd at shaw.ca
Fri Oct 14 01:08:28 CDT 2005


I had been scanning through the 'Simple Talk Blog' where Arthur's great
article is and was amazed (and amused) at one particular write up. The
article was called 'To SP or not to SP in SQL Server' at
http://www.simple-talk.com/2005/04/11/to-sp-or-not-to-sp-in-sql-server/ 

The writer is debating the general consensus that says Stored Procedures are
safer that passing full sequel calls to a server.... and here I quote:

<quote>
One of the most damaging arguments raised in defense of SPs is that they
somehow magically prevent SQL injection attacks
(http://www.unixwiz.net/techtips/sql-injection.html). From Rob's post:

Additionally, stored procedures are a counter-measure to dangerous SQL
Script injection attacks, a susceptibility that applications using embedded
SQL are more vulnerable to.

Sorry, but this is just not true. Using SPs make it more likely that you
will pass parameters the right way, but there is no guarantee. For instance,
this is some code I recently read answering a question on
http://www.asp.net:
<unquote>

...And then the example proving that SPs are not safer...

<quote>
strsql = "EXECUTE findtitle '" & textboxtitle.text & "'"
objCmd = New SqlCommand(strSQL, objConn) 
<unquote>

Unbelievable. Does using an ADO command method imply a SP?? After that I
could take nothing seriously in the article but I had a good laugh :-)

Hope this amuses someone else.
(...working too long)
Jim  




More information about the AccessD mailing list