473,386 Members | 1,830 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > command objects or not for stored procedures

Join Bytes to post your question to a community of 473,386 software developers and data experts.

command objects or not for stored procedures

I use stored procedures in my asp using the connection object. I validate
any inputs to protect myself from SQL injection. Why is it, or isn't it
better to use the command object? I have used the command object with
parameters and the coding was a pain.

Comments?? I realize this is an open ended question but I am trying to
improve my skills/code if need be.

Thanks

Mike
Jul 22 '05 #1
2 1349
Mike D wrote:
I use stored procedures in my asp using the connection object. I
validate any inputs to protect myself from SQL injection. Why is it,
or isn't it better to use the command object? I have used the
command object with parameters and the coding was a pain.


Here is my take on the matter:
http://tinyurl.com/jyy0

Basically, while validation can definitely slow down a hacker attempting to
use sql injection (usually to the point of forcing him to go find easier
pickings), new techniques to foil validation are being found all the time:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf

The only sure way to prevent sql injection is to not use dynamic sql. This
means using parameters to pass arguments. In most cases, an explicit Command
object is not needed. Passing arguments by parameter relieves you of the
chore of dealing with delimiters, embedded or otherwise.

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 22 '05 #2
Thanks Bob. Some of your questions to other posts are what prompted my
question. I will read the links and see what's up. I find myself in an
environment where I have to use both Oracle and MS SQL Server and stored
procedure in Oracle have so far required the command object to fire. It may
give me more practice.

Thanks
Mike

"Bob Barrows [MVP]" wrote:
Mike D wrote:
I use stored procedures in my asp using the connection object. I
validate any inputs to protect myself from SQL injection. Why is it,
or isn't it better to use the command object? I have used the
command object with parameters and the coding was a pain.


Here is my take on the matter:
http://tinyurl.com/jyy0

Basically, while validation can definitely slow down a hacker attempting to
use sql injection (usually to the point of forcing him to go find easier
pickings), new techniques to foil validation are being found all the time:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf

The only sure way to prevent sql injection is to not use dynamic sql. This
means using parameters to pass arguments. In most cases, an explicit Command
object is not needed. Passing arguments by parameter relieves you of the
chore of dealing with delimiters, embedded or otherwise.

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Jul 22 '05 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
Closed transaction keeps running...awaiting command
by: Rittercorp | last post by:
I am debugging an app which blocks many processes in a SQL7 server DB. The app log writes every transaction "open" and "close". The weird thing is : when the app logfile says the transaction is...
Microsoft SQL Server
4
automatic rename in FROM clause of dependant objects ?
by: Zlatko Matić | last post by:
I have a problem. I should rename some tables which are referenced in numerous stored procedures. Is there any way to automatically replace old table name with new one in all dependant stored...
Microsoft SQL Server
2
problem using java packages in jdbc stored procedures
by: Kent Lewandowski | last post by:
hi all, Recently I wrote some stored procedures using java jdbc code (admittedly my first stab) and then tried to implement the same within java packages (for code reuse). I encountered...
DB2 Database
1
Resync command ?
by: Zlatko Matić | last post by:
When working in .adp there is a peculiar Resync command property in forms. I have noticed that I can avoid resync when putting stored procedures as record source instead of views or in-line...
Microsoft Access / VBA
5
Stored Procedures?
by: Tim Marshall | last post by:
I was following the thread "Re: Access Treeview - Is it Safe Yet?" with interest and on reading the post describing Lauren Quantrell's SmartTree, I've run into something I don't understand: Stored...
Microsoft Access / VBA
7
Stored procedures vs. command strings in c#...
by: trint | last post by:
My boss wants me to use stored procedures, but I thought somehow that using c# that ADO.Net was better. Any help is appreciated. Thanks, Trint
C# / C Sharp
2
Too many objects loaded at the same time and cause OutOfMemory exception.
by: elaine | last post by:
I'm working on a .net web application. The architect of this web application is quite different than other web applications i worked before. Since we use a set of tools to generate most of the...
ASP.NET
25
business objects vs. datasets
by: Penelope Dramas | last post by:
Hello, I'm in a front of very serious .net redesign/rewrite of an old VB6 application. I had been asked to make it .NET 2.0 and would like to ask couple of questions regarding data access as...
Visual Basic .NET
7
Command for dumping stored procedures
by: gomzi | last post by:
hi, I would like to know the command for dumping stored procedures. Thought that I knew the command and dumped the db using the -R option, only to realise that dumping of procedures had failed...
MySQL Database
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!