Mike D wrote:
I use stored procedures in my asp using the connection object. I
validate any inputs to protect myself from SQL injection. Why is it,
or isn't it better to use the command object? I have used the
command object with parameters and the coding was a pain.
Here is my take on the matter:
http://tinyurl.com/jyy0
Basically, while validation can definitely slow down a hacker attempting to
use sql injection (usually to the point of forcing him to go find easier
pickings), new techniques to foil validation are being found all the time:
http://mvp.unixwiz.net/techtips/sql-injection.html http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 http://www.nextgenss.com/papers/adva..._injection.pdf http://www.nextgenss.com/papers/more..._injection.pdf
The only sure way to prevent sql injection is to not use dynamic sql. This
means using parameters to pass arguments. In most cases, an explicit Command
object is not needed. Passing arguments by parameter relieves you of the
chore of dealing with delimiters, embedded or otherwise.
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"