Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > command objects or not for stored procedures

Reply
Thread Tools

command objects or not for stored procedures

 
 
Mike D
Guest
Posts: n/a
 
      03-01-2005
I use stored procedures in my asp using the connection object. I validate
any inputs to protect myself from SQL injection. Why is it, or isn't it
better to use the command object? I have used the command object with
parameters and the coding was a pain.

Comments?? I realize this is an open ended question but I am trying to
improve my skills/code if need be.

Thanks

Mike
 
Reply With Quote
 
 
 
 
Bob Barrows [MVP]
Guest
Posts: n/a
 
      03-01-2005
Mike D wrote:
> I use stored procedures in my asp using the connection object. I
> validate any inputs to protect myself from SQL injection. Why is it,
> or isn't it better to use the command object? I have used the
> command object with parameters and the coding was a pain.
>


Here is my take on the matter:
http://tinyurl.com/jyy0

Basically, while validation can definitely slow down a hacker attempting to
use sql injection (usually to the point of forcing him to go find easier
pickings), new techniques to foil validation are being found all the time:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf

The only sure way to prevent sql injection is to not use dynamic sql. This
means using parameters to pass arguments. In most cases, an explicit Command
object is not needed. Passing arguments by parameter relieves you of the
chore of dealing with delimiters, embedded or otherwise.

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


 
Reply With Quote
 
 
 
 
Mike D
Guest
Posts: n/a
 
      03-01-2005
Thanks Bob. Some of your questions to other posts are what prompted my
question. I will read the links and see what's up. I find myself in an
environment where I have to use both Oracle and MS SQL Server and stored
procedure in Oracle have so far required the command object to fire. It may
give me more practice.

Thanks
Mike

"Bob Barrows [MVP]" wrote:

> Mike D wrote:
> > I use stored procedures in my asp using the connection object. I
> > validate any inputs to protect myself from SQL injection. Why is it,
> > or isn't it better to use the command object? I have used the
> > command object with parameters and the coding was a pain.
> >

>
> Here is my take on the matter:
> http://tinyurl.com/jyy0
>
> Basically, while validation can definitely slow down a hacker attempting to
> use sql injection (usually to the point of forcing him to go find easier
> pickings), new techniques to foil validation are being found all the time:
> http://mvp.unixwiz.net/techtips/sql-injection.html
> http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
> http://www.nextgenss.com/papers/adva..._injection.pdf
> http://www.nextgenss.com/papers/more..._injection.pdf
>
> The only sure way to prevent sql injection is to not use dynamic sql. This
> means using parameters to pass arguments. In most cases, an explicit Command
> object is not needed. Passing arguments by parameter relieves you of the
> chore of dealing with delimiters, embedded or otherwise.
>
> Bob Barrows
>
> --
> Microsoft MVP - ASP/ASP.NET
> Please reply to the newsgroup. This email account is my spam trap so I
> don't check it very often. If you must reply off-line, then remove the
> "NO SPAM"
>
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Concurrency Checking - SQL Server Rowversion - Stored Procedures ASP.NET Command Bari Allen ASP .Net 5 11-20-2005 01:19 PM
Debugging SQL Server 2000 Stored Procedures. lhak ASP .Net 1 10-23-2004 03:30 PM
Putting stored procedures in a dll Soumitra Banerjee ASP .Net 1 02-27-2004 01:46 AM
VB.NET Retrieving Identity form MSSQL2000 without using stored procedures Taras ASP .Net 2 10-05-2003 05:35 AM
Re: Your opinion about stored procedures mono ASP .Net 1 07-04-2003 07:55 PM



Advertisments