Francisco H Tapia
my.lists at verizon.net
Thu Jun 10 16:02:37 CDT 2004
so long as you validate any data that will be surrounded in the dynamic sql you will lessen your risk for SQL Injections... from reading your post I understand this to be something like Select CompanyName, CoAttr1, pKEY From TblCompany WHERE CoAttr1 = 1 by running a val on that entry, you prevent possible injections of things such as "1; TRUNCATE TABLE tblCompany" this works fine for any values that are number based. Depending on how many people are hitting your application, you may stand to benifit from using stored procedures where you PASS an interger value accross the wire, this improves 2 things, bandwidth (especially for really long SQL statements, really if you're on a 100mbit lan this is negligable, but consider hundereds or thousands of users, while the performance can be dismissed, you may guage some benifits. I'd run a test on some sample data if it were at all possible.) Donna Martin wrote On 6/10/2004 1:35 PM: >Regarding SQL Injection: Sorry to get into this, but I use ColdFusion and cfc's >to query the database. Then I wrap my passed values in Val() so that no SQL >injection can be performed. I've been told that this works well, and have had >my code checked by others far better than I. They have confirmed. > >Do you agree? > >Thanks. > >Donna > >Quoting Francisco H Tapia <my.lists at verizon.net>: > > > >>jwcolby wrote On 6/10/2004 9:33 AM: >> >> >> >>>Can anyone explain the difference between a view and a query? Views use a >>>query, plus the view keyword. I have a couple of books that I have read the >>>chapter on Views, but I so far haven't managed to "get" why you wouldn't >>>just use the query itself instead of turning it into a view. >>> >>> >>> >>> >>A query is a request for an Access Database, however for Sql Server you >>would either use a View or Stored Procedure to return the data you >>wanted... you are also able to use dynamic SQL to retrieve the >>information you need. ANY request given to the SQL Server engine is >>managed by the engine, unless you are running Remote servers (iirc). >> >>In Sql Server, it is TABOO, nay, GENERALLY bad practice to use dynamic >>sql because of the implication of SQL INJECTION attacks, this poses a >>"real" security threat to your database. and your server. >> >>another reason to use a VIEW over dynamic sql is that it is >>pre-optimized by the SQL Server Engine and thus runs faster and more >>efficient. Additionally if you use Dynamic SQL then your individual >>users who access the server will need EXPLICIT "SELECT" permissions by >>you, which is another 'bad' practice. In SQL Server you make data >>available to your users via VIEWs and Stored Procedures or some other >>secure way in order to protect your tables and it's data. >> >>ya get wot I mean? >> >> >> >> > > > -- -Francisco