Susan Harkins
ssharkins at setel.com
Sun Nov 12 09:11:10 CST 2006
If you run a google on SQL Injection, you'll get a ton of information. I had a white paper on protecting yourself from the problem, and it was really good, but I no longer have it. I apologize, but I'm sure it's still out there. Susan H. I definitely agree with the sandbox but disagree with the idea of letting them run dynamic SQL even against a sandbox DB. Far better to inspect their requirements, with their help, and to design sprocs and UDFs that attempt to fulfill them, IMO. These can be refined in the sandbox. For example, their UI presents three combo-boxes, and you write sprocs to deliver what is required to populate them, perhaps returning an OUT parameter so it's easy for them to grab the selected value. You work through the UI with their guidance and deliver sprocs that do what they need.