Drew Wutka
DWUTKA at Marlow.com
Tue Jul 28 17:13:49 CDT 2009
I was thinking along the same lines with both of your statements here. Drew -----Original Message----- From: accessd-bounces at databaseadvisors.com [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Stuart McLachlan Sent: Tuesday, July 28, 2009 3:59 PM To: Access Developers discussion and problem solving Subject: Re: [AccessD] Worth Upgrading for? I keep hearing this same old mantras: 1. Dynamic construction = SQL injection. Cr*p! ( if you'll pardon my french) Dynamic construction = SQL injection IF AND ONLY IF: a. You take text input from your user as part of the construction b. You do not sanitize the text. There's no way that you are exposed to SQL injection if you base your SQL statement on such the current content of OptionBoxes, ListLimited ComboBoxes, selections in Listboxes etc,ect. 2. Dynaic SQL isn't optimised. Big deal! Design your indexes properly and what's the real performance difference between: "myProcedure Param1, Param2, Param3" and "Select ,,,,,, from myTable where .. Param1 and .... Param2 ,,,, and Param3 order by ....." -- Stuart On 28 Jul 2009 at 10:05, David McAfee wrote: > Because it opens its self up to SQL injection. > > Also dynamic SQL isn't optimized. > > On Tue, Jul 28, 2009 at 7:16 AM, Drew Wutka <DWUTKA at marlow.com> wrote: > > > Why is 'dynamically constructed' SQL statements such a sore subject? > > > > This is a little bit of a shocker to me. -- AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com The information contained in this transmission is intended only for the person or entity to which it is addressed and may contain II-VI Proprietary and/or II-VI Business Sensitive material. If you are not the intended recipient, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. You are notified that any review, retransmission, copying, disclosure, dissemination, or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.