473,545 Members | 1,930 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

command objects or not for stored procedures

I use stored procedures in my asp using the connection object. I validate
any inputs to protect myself from SQL injection. Why is it, or isn't it
better to use the command object? I have used the command object with
parameters and the coding was a pain.

Comments?? I realize this is an open ended question but I am trying to
improve my skills/code if need be.

Thanks

Mike
Jul 22 '05 #1
2 1354
Mike D wrote:
I use stored procedures in my asp using the connection object. I
validate any inputs to protect myself from SQL injection. Why is it,
or isn't it better to use the command object? I have used the
command object with parameters and the coding was a pain.


Here is my take on the matter:
http://tinyurl.com/jyy0

Basically, while validation can definitely slow down a hacker attempting to
use sql injection (usually to the point of forcing him to go find easier
pickings), new techniques to foil validation are being found all the time:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf

The only sure way to prevent sql injection is to not use dynamic sql. This
means using parameters to pass arguments. In most cases, an explicit Command
object is not needed. Passing arguments by parameter relieves you of the
chore of dealing with delimiters, embedded or otherwise.

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 22 '05 #2
Thanks Bob. Some of your questions to other posts are what prompted my
question. I will read the links and see what's up. I find myself in an
environment where I have to use both Oracle and MS SQL Server and stored
procedure in Oracle have so far required the command object to fire. It may
give me more practice.

Thanks
Mike

"Bob Barrows [MVP]" wrote:
Mike D wrote:
I use stored procedures in my asp using the connection object. I
validate any inputs to protect myself from SQL injection. Why is it,
or isn't it better to use the command object? I have used the
command object with parameters and the coding was a pain.


Here is my take on the matter:
http://tinyurl.com/jyy0

Basically, while validation can definitely slow down a hacker attempting to
use sql injection (usually to the point of forcing him to go find easier
pickings), new techniques to foil validation are being found all the time:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf

The only sure way to prevent sql injection is to not use dynamic sql. This
means using parameters to pass arguments. In most cases, an explicit Command
object is not needed. Passing arguments by parameter relieves you of the
chore of dealing with delimiters, embedded or otherwise.

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Jul 22 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
12952
by: Rittercorp | last post by:
I am debugging an app which blocks many processes in a SQL7 server DB. The app log writes every transaction "open" and "close". The weird thing is : when the app logfile says the transaction is dropped (object closed) the db keeps showing the process "running", in a sleeping mode, with open_tran in 2 or even 3 and in an awaiting command...
4
1386
by: Zlatko Matić | last post by:
I have a problem. I should rename some tables which are referenced in numerous stored procedures. Is there any way to automatically replace old table name with new one in all dependant stored procedures, instead of manual replacement in every stored procedure ehich would be time-consuming? Thank you in advance.
2
9205
by: Kent Lewandowski | last post by:
hi all, Recently I wrote some stored procedures using java jdbc code (admittedly my first stab) and then tried to implement the same within java packages (for code reuse). I encountered problems doing this. I wanted to implemented a generic "Helper" class like this: /** * Helper
1
6819
by: Zlatko Matić | last post by:
When working in .adp there is a peculiar Resync command property in forms. I have noticed that I can avoid resync when putting stored procedures as record source instead of views or in-line functions. Also, it seems that I van't use resync with stored procedures... As I couldn't find much informations in literature, can anybody familiar with...
5
3461
by: Tim Marshall | last post by:
I was following the thread "Re: Access Treeview - Is it Safe Yet?" with interest and on reading the post describing Lauren Quantrell's SmartTree, I've run into something I don't understand: Stored Procedures. I thought stored pricedures were an Oracle/MS SQL Server thing and don't know how they work with Access Jet. I've looked at some of...
7
1715
by: trint | last post by:
My boss wants me to use stored procedures, but I thought somehow that using c# that ADO.Net was better. Any help is appreciated. Thanks, Trint
2
1378
by: elaine | last post by:
I'm working on a .net web application. The architect of this web application is quite different than other web applications i worked before. Since we use a set of tools to generate most of the basic code. Every table in the database related to an object in the application. There is no stored procedures in database; In every object of the...
25
2751
by: Penelope Dramas | last post by:
Hello, I'm in a front of very serious .net redesign/rewrite of an old VB6 application. I had been asked to make it .NET 2.0 and would like to ask couple of questions regarding data access as this application is heavily data-centric around MSDE database. Would it be better to use custom business objects or extend
7
2335
by: gomzi | last post by:
hi, I would like to know the command for dumping stored procedures. Thought that I knew the command and dumped the db using the -R option, only to realise that dumping of procedures had failed because of some delimiter problem. Now , I would like to transfer only the stored procedures. Also, I would like to know as to how I could dump the...
0
7479
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7411
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7669
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
1
7439
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
1
5343
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
3468
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3450
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1901
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
0
722
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.