473,503 Members | 11,783 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

SQLInjection with OpenXML

I am researching the use of OpenXml for doing mass updates/inserts.

Does anyone know how this procedure works as far as sql injection is
concerned? I've always been taught to use sp's with parameters...does
using OpenXML open up any holes in that idea?

My thinking is that it would be fine (maybe even better), because the
fields will still be treated as literals.

Alternatively, are there any other suggestions for doing massive
amounts of updates/inserts?

Mar 9 '06 #1
1 2158
figital (mh****@gmail.com) writes:
I am researching the use of OpenXml for doing mass updates/inserts.

Does anyone know how this procedure works as far as sql injection is
concerned? I've always been taught to use sp's with parameters...does
using OpenXML open up any holes in that idea?

My thinking is that it would be fine (maybe even better), because the
fields will still be treated as literals.

Alternatively, are there any other suggestions for doing massive
amounts of updates/inserts?


We have a few places in our where we used to send down lot a rows one
by one, where we now send down one big XML document for vastly improved
performance.

Assuming that you pass your XML document to a stored procedure, and
call that procedure through RPC (that is, not an EXEC statement), and
don't use dynamic SQL, there is entry for SQL injection.
--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinf...ons/books.mspx
Mar 9 '06 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
2
7741
Using OPENXML
by: JM | last post by:
I have a SP set up to take an input param and then fire the following sp_xml_preparedocument OPENXML (With a select statement) sp_xml_removedocument This works fine with the XML syntax that...
Microsoft SQL Server
1
2663
OpenXML Query
by: jrd | last post by:
The below code is only pulling the outcome_id value, but is pulling back null for the other fields in the xml string, any ideas on what is going on? -- Prepare xml data to be transfered into an...
Microsoft SQL Server
2
1634
OPENXML question
by: Bostonasian | last post by:
I've got thousands of XML docs and have to import those to the DB. And I am having problem with getting some values because of tricky XML format. I didn't create this XML format and I don't like...
Microsoft SQL Server
1
2433
OPENXML vs BCP
by: Sandy | last post by:
Hi, My application writes data into sql server. Currently it converts data into XML (an in memory XML string) and write using OPENXML. I want to know if i write it to a csv file and use BCP,...
Microsoft SQL Server
0
2793
Syntax for OpenXML in ASP.NET
by: Micke | last post by:
On a code behing page to an aspx page I want to open a xml file in Excel and save it as an Excel file. I have following code that is working: Dim oExcel As New Excel.Application Dim oBook As...
ASP.NET
2
3691
Alternative to OpenXML
by: Shilpa | last post by:
Hi All, I want to pass XML and the data in the XML should be stored in the tables of the database. However, I do not want to use the OpenXML statement. Please let me know. Regards, Shilpa
Microsoft SQL Server
9
6699
Converting HTML to XHTML (JTidy,OpenXML,Xerces)
by: anupamjain | last post by:
Hi, After 2 weeks of search/hit-and-trial I finally thought to revert to the group to find solution to my problem.(something I should have done much earlier) This is the deal : On a JSP...
.NET Framework
1
2541
How to read second record within XML file by using openxml?
by: yingwen | last post by:
I have a xml similar like this: <Member ID="123"> <DateBorrowed>11-01-2006</DateBorrowed> <Book ID="222" Title="ABC"> <Category> Fiction</Category> </Book>...
XML
7
1729
Question on SQLinjection and XSS
by: Petra Meier | last post by:
Hello, if I use the following function for all my mySql commands in php, am I protected against all SQLinjections and XSS attacks? function sanitize($value){ return...
PHP
0
7193
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
7264
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
7316
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
1
6975
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
1
4992
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
4666
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
C# / C Sharp
0
3160
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The...
Networking - Hardware / Configuration
0
3148
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
0
1495
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
C# / C Sharp

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us