473,326 Members | 2,023 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

Parameters to Command Object!

Microsoft advises not to pass parameters to the Command object in the
Execute statement. Why?

Thanks,

Arpan

Jul 22 '05 #1
6 4095
Jon
Because the command object has it's own paramaters command
(command.paramaters) that's why. See
http://support.microsoft.com/kb/165156/EN-US for info on this.

I presume another reason is because it may create a huge security flaw

--
Jon
wa*********@gmail.com
Look at that dead pixel on your screen! *SLAP* Gotcha!

"Arpan" <ar******@hotmail.com> wrote in message
news:11*********************@g47g2000cwa.googlegro ups.com...
Microsoft advises not to pass parameters to the Command object in the
Execute statement. Why?

Thanks,

Arpan

Jul 22 '05 #2
Arpan wrote:
Microsoft advises not to pass parameters to the Command object in the
Execute statement. Why?


Where did you see this advice? It's hard to answer such a question in a
vacuum.

One possible reason is the "late-bound"/"early-bound" argument. In compiled
languages such as VB, C++, etc. using variants (which is ultimately what you
are doing when you pass a variant array containing parameter values via the
Execute statement) impairs performance. However, in vbscript, ALL variables
are Variant, so this is not as much a consideration. As Eric Lippert
constantly says: "if you care about maximizing performance, using a
late-bound unoptimized bytecode-interpreted dynamically-typed language is
probably a bad choice." Of course, he fails to address that script languages
are pretty much the only choice in classic ASP, even when using your own
compiled dll's (you have to use script to instantiate them, don't you?)

The other reason of course, is that retrieving output parameter values is
not possible when using this method to pass parameter values to a stored
procedure.

Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 22 '05 #3
How do you get from the information in 165156 to the "huge security flaw"
statement? I recognize that you may be using "presume" as a synonym for
"guess", but there must be some basis for coming to this presumption ...

Please explain.

Bob Barrows

Jon wrote:
Because the command object has it's own paramaters command
(command.paramaters) that's why. See
http://support.microsoft.com/kb/165156/EN-US for info on this.

I presume another reason is because it may create a huge security flaw
"Arpan" <ar******@hotmail.com> wrote in message
news:11*********************@g47g2000cwa.googlegro ups.com...
Microsoft advises not to pass parameters to the Command object in the
Execute statement. Why?

Thanks,

Arpan


--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 22 '05 #4
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:%2***************@tk2msftngp13.phx.gbl...
How do you get from the information in 165156 to the "huge security flaw"
statement? I recognize that you may be using "presume" as a synonym for
"guess", but there must be some basis for coming to this presumption ...

Please explain.

If you do not use parameter objects, you have to encode single qoutes (')
and check each parameter on typevalidity. Second, you have to write
your -own- tools to convert dateformats and to format money etc in the
correct format. I've seen much Dutch programmers loozing time writing such
tools (SQL server and non-language-compatible configured systems switch
decimal symbols). Serious, this is a waste of time and possibly a security
problem if you program like this

myADO.execute "exec myProc " + request("myParam")
Bob Barrows

Jon wrote:
Because the command object has it's own paramaters command
(command.paramaters) that's why. See
http://support.microsoft.com/kb/165156/EN-US for info on this.

I presume another reason is because it may create a huge security flaw
"Arpan" <ar******@hotmail.com> wrote in message
news:11*********************@g47g2000cwa.googlegro ups.com...
Microsoft advises not to pass parameters to the Command object in the
Execute statement. Why?

Thanks,

Arpan


--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


Jul 22 '05 #5
Egbert Nierop (MVP for IIS) wrote:
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:%2***************@tk2msftngp13.phx.gbl...
How do you get from the information in 165156 to the "huge security
flaw" statement? I recognize that you may be using "presume" as a
synonym for "guess", but there must be some basis for coming to this
presumption ... Please explain.

If you do not use parameter objects, you have to encode single qoutes
(') and check each parameter on typevalidity.


Not quite true. You can pass the parameter values using a variant array as
the second argument in the Execute method without using the Parameters
collection.

http://groups-beta.google.com/group/...e36562fee7804e
And even if you do use the parameter objects, it is a good idea to check the
type/validity of the values being passed in order to avoid raising errors,
which is not really a good use of CPU.

Second, you have to
write your -own- tools to convert dateformats and to format money etc in
the
correct format. I've seen much Dutch programmers loozing time writing
such tools (SQL server and non-language-compatible configured systems
switch decimal symbols). Serious, this is a waste of time and
possibly a security problem if you program like this

myADO.execute "exec myProc " + request("myParam")


I certainly concur with this. I'm constantly ranting about dynamic sql for
this very reason. However, this is not what I understood the question to be
about. However, you may be right:

"Microsoft advises not to pass parameters to the Command object in the
Execute statement."

I interpreted this as advice against using the variant array in the Execute
statement. However, it could easily be interpreted as advice against using
the dynamic sql approach, in which case both you and Jon are correct.

To Arpan, here is the reason for the security concern about using dynamic
sql:

http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf

Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 22 '05 #6
Jon
Thank you Egbert. I have been working so I didn't have time to reply. Indeed
Bob this was how I interpreted the question ... though it may have been
wrong. Sorry I couldn't have answered your question earlier!

--
Jon
wa*********@gmail.com
Look at that dead pixel on your screen! *SLAP* Gotcha!

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:OC**************@TK2MSFTNGP12.phx.gbl...
Egbert Nierop (MVP for IIS) wrote:
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:%2***************@tk2msftngp13.phx.gbl...
How do you get from the information in 165156 to the "huge security
flaw" statement? I recognize that you may be using "presume" as a
synonym for "guess", but there must be some basis for coming to this
presumption ... Please explain.

If you do not use parameter objects, you have to encode single qoutes
(') and check each parameter on typevalidity.


Not quite true. You can pass the parameter values using a variant array as
the second argument in the Execute method without using the Parameters
collection.

http://groups-beta.google.com/group/...e36562fee7804e
And even if you do use the parameter objects, it is a good idea to check
the type/validity of the values being passed in order to avoid raising
errors, which is not really a good use of CPU.

Second, you have to
write your -own- tools to convert dateformats and to format money etc in
the
correct format. I've seen much Dutch programmers loozing time writing
such tools (SQL server and non-language-compatible configured systems
switch decimal symbols). Serious, this is a waste of time and
possibly a security problem if you program like this

myADO.execute "exec myProc " + request("myParam")


I certainly concur with this. I'm constantly ranting about dynamic sql for
this very reason. However, this is not what I understood the question to
be about. However, you may be right:

"Microsoft advises not to pass parameters to the Command object in the
Execute statement."

I interpreted this as advice against using the variant array in the
Execute statement. However, it could easily be interpreted as advice
against using the dynamic sql approach, in which case both you and Jon are
correct.

To Arpan, here is the reason for the security concern about using dynamic
sql:

http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf

Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Jul 22 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
by: Bruno Alexandre | last post by:
Hi guys, withou using SP, I want to be able to add a Parameter to the SQL Query and retrive the Recordset so I can use the Paging property under the recorset object.... how can I do this? I'm...
1
by: PinkGuava | last post by:
Hi, I have a T-SQL stored procedure that returns both output parameters and a recordset. How do I retrieve them in my ASP script? As far as I know, the ADO Command object can be used to retrieve...
6
by: Derek | last post by:
I have an aspx page where I use a reversebind and templates to edit the entire datagrid at one time. I added a textbox and button to change the parameter criteria and then rerun the databind2...
7
by: Zlatko Matiæ | last post by:
Let's assume that we have a database on some SQL server (let it be MS SQL Server) and that we want to execute some parameterized query as a pass.through query. How can we pass parameters to the...
3
by: Zlatko Matiæ | last post by:
Hello. I know how to call a parameterized stored procedure by using ADODB command object and parameters, but how can I execute the same query using adCmdText instead of adCmdStoredProc? Namely...
2
by: Mark | last post by:
I created a test to check the execution time difference between executing a SQL Server stored procedured using explicit parameters versus not. In one case I created new SqlParameters in the code,...
3
by: James Brett | last post by:
Hi I've got this function that executes a stored procedure. One of the parameters is an output parameter but for some reason it always returns 0. Any clues? Cheers James
1
by: Andy G | last post by:
I've been getting this error all day. Could someone please look at my stored procedure and the code. I have a form that grabs and email address the user types in, calls a stored procedure with an...
5
by: Martin Bischoff | last post by:
Hi, is it possible to modify the values of a SqlDataSource's select parameters in the code behind before the select command is executed? Example: I have an SqlDataSource with a...
1
by: John Kotuby | last post by:
Hi all, I am working on porting an application from VB6 to VB.NET 2003 and am running into some problems. When declaring and populating the parameters for a SQL Stored Procedure by using the...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.