Stuart McLachlan
stuart at lexacorp.com.pg
Tue Jul 28 15:59:12 CDT 2009
I keep hearing this same old mantras: 1. Dynamic construction = SQL injection. Cr*p! ( if you'll pardon my french) Dynamic construction = SQL injection IF AND ONLY IF: a. You take text input from your user as part of the construction b. You do not sanitize the text. There's no way that you are exposed to SQL injection if you base your SQL statement on such the current content of OptionBoxes, ListLimited ComboBoxes, selections in Listboxes etc,ect. 2. Dynaic SQL isn't optimised. Big deal! Design your indexes properly and what's the real performance difference between: "myProcedure Param1, Param2, Param3" and "Select ,,,,,, from myTable where .. Param1 and .... Param2 ,,,, and Param3 order by ....." -- Stuart On 28 Jul 2009 at 10:05, David McAfee wrote: > Because it opens its self up to SQL injection. > > Also dynamic SQL isn't optimized. > > On Tue, Jul 28, 2009 at 7:16 AM, Drew Wutka <DWUTKA at marlow.com> wrote: > > > Why is 'dynamically constructed' SQL statements such a sore subject? > > > > This is a little bit of a shocker to me.