The original problem was related to code produced by site server wizards. These wizards do not use SP's It's quite a task to rewrite a whole site as SP'ed. Maybe MS should be looking at a move to this methodology. In general the extra time in doing DB access as SP's isn't justified, mainly because people aren't aware of the issue. Nick. > This can still be a problem even if you use stored > procedures. I've seen > code like this: > sql = "exec sp_name " & userdata > If userdata contains '0; delete from table' then you've got a problem. > The best way around this is to use parameterized queries > for all data > access, including stored procedures, selects, inserts, > and updates. Never > build up sql statements from strings that include user > input. > Eric. > If you use Stored Procedure calls in your ASP pages this > can't > happen!! Manually creating SQL statements within ASP is > > poor design : > not as efficient and secured as storing them in your database server > (as stored procedures) and making a call to them without > speaking > of coding properly : you do you reuse these pieces of code?!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:19 PDT