[dba-SQLServer] Difference between views and queries

Donna Martin dmart06 at emory.edu
Thu Jun 10 15:35:44 CDT 2004 

Regarding SQL Injection:  Sorry to get into this, but I use ColdFusion and cfc's
to query the database.  Then I wrap my passed values in Val() so that no SQL
injection can be performed.  I've been told that this works well, and have had
my code checked by others far better than I.  They have confirmed.

Do you agree?

Thanks.

Donna

Quoting Francisco H Tapia <my.lists at verizon.net>:

> jwcolby wrote On 6/10/2004 9:33 AM:
>
> >Can anyone explain the difference between a view and a query?  Views use a
> >query, plus the view keyword.  I have a couple of books that I have read the
> >chapter on Views, but I so far haven't managed to "get" why you wouldn't
> >just use the query itself instead of turning it into a view.
> >
> >
> A query is a request for an Access Database, however for Sql Server you
> would either use a View or Stored Procedure to return the data you
> wanted... you are also able to use dynamic SQL to retrieve the
> information you need.  ANY request given to the SQL Server engine is
> managed by the engine, unless you are running Remote servers (iirc).
>
> In Sql Server, it is TABOO, nay, GENERALLY bad practice to use dynamic
> sql because of the implication of SQL INJECTION attacks, this poses a
> "real" security threat to your database. and your server.
>
> another reason to use a VIEW over dynamic sql is that it is
> pre-optimized by the SQL Server Engine and thus runs faster and more
> efficient.  Additionally if you use Dynamic SQL then your individual
> users who access the server will need EXPLICIT "SELECT" permissions by
> you, which is another 'bad' practice.  In SQL Server you make data
> available to your users via VIEWs and Stored Procedures or some other
> secure way in order to protect your tables and it's data.
>
> ya get wot I mean?
>
> --
> -Francisco
>
>
> _______________________________________________
> dba-SQLServer mailing list
> dba-SQLServer at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> http://www.databaseadvisors.com
>


--
Donna M. Martin
Applications Dev/Analyst, Sr
Pathology & Laboratory Medicine
Emory University
N251 EUH Educational Annex
404 727-5918 Phone
404 686-5500 x15657 Pager

More information about the dba-SQLServer mailing list