Arthur Fuller
artful at rogers.com
Fri Oct 14 14:11:45 CDT 2005
I just posted a reply, not directly to this article but to the general notion that sprocs are safer than dynamic SQL. That is my story and I am sticking to it! And thanks to you for your kind words, and to all others on this list who took the time to read it. You boost my hit-count and that makes me look good to the publisher! Thanks! -----Original Message----- From: accessd-bounces at databaseadvisors.com [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence Sent: October 14, 2005 2:08 AM To: 'Access Developers discussion and problem solving' Subject: [AccessD] oT Friday; amused easily I had been scanning through the 'Simple Talk Blog' where Arthur's great article is and was amazed (and amused) at one particular write up. The article was called 'To SP or not to SP in SQL Server' at http://www.simple-talk.com/2005/04/11/to-sp-or-not-to-sp-in-sql-server/ The writer is debating the general consensus that says Stored Procedures are safer that passing full sequel calls to a server.... and here I quote: <quote> One of the most damaging arguments raised in defense of SPs is that they somehow magically prevent SQL injection attacks (http://www.unixwiz.net/techtips/sql-injection.html). From Rob's post: Additionally, stored procedures are a counter-measure to dangerous SQL Script injection attacks, a susceptibility that applications using embedded SQL are more vulnerable to. Sorry, but this is just not true. Using SPs make it more likely that you will pass parameters the right way, but there is no guarantee. For instance, this is some code I recently read answering a question on http://www.asp.net: <unquote> ...And then the example proving that SPs are not safer... <quote> strsql = "EXECUTE findtitle '" & textboxtitle.text & "'" objCmd = New SqlCommand(strSQL, objConn) <unquote> Unbelievable. Does using an ADO command method imply a SP?? After that I could take nothing seriously in the article but I had a good laugh :-) Hope this amuses someone else. (...working too long) Jim -- AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com