473,289 Members | 1,884 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,289 software developers and data experts.

SQLInjection with OpenXML

I am researching the use of OpenXml for doing mass updates/inserts.

Does anyone know how this procedure works as far as sql injection is
concerned? I've always been taught to use sp's with parameters...does
using OpenXML open up any holes in that idea?

My thinking is that it would be fine (maybe even better), because the
fields will still be treated as literals.

Alternatively, are there any other suggestions for doing massive
amounts of updates/inserts?

Mar 9 '06 #1
1 2152
figital (mh****@gmail.com) writes:
I am researching the use of OpenXml for doing mass updates/inserts.

Does anyone know how this procedure works as far as sql injection is
concerned? I've always been taught to use sp's with parameters...does
using OpenXML open up any holes in that idea?

My thinking is that it would be fine (maybe even better), because the
fields will still be treated as literals.

Alternatively, are there any other suggestions for doing massive
amounts of updates/inserts?


We have a few places in our where we used to send down lot a rows one
by one, where we now send down one big XML document for vastly improved
performance.

Assuming that you pass your XML document to a stored procedure, and
call that procedure through RPC (that is, not an EXEC statement), and
don't use dynamic SQL, there is entry for SQL injection.
--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinf...ons/books.mspx
Mar 9 '06 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: JM | last post by:
I have a SP set up to take an input param and then fire the following sp_xml_preparedocument OPENXML (With a select statement) sp_xml_removedocument This works fine with the XML syntax that...
1
by: jrd | last post by:
The below code is only pulling the outcome_id value, but is pulling back null for the other fields in the xml string, any ideas on what is going on? -- Prepare xml data to be transfered into an...
2
by: Bostonasian | last post by:
I've got thousands of XML docs and have to import those to the DB. And I am having problem with getting some values because of tricky XML format. I didn't create this XML format and I don't like...
1
by: Sandy | last post by:
Hi, My application writes data into sql server. Currently it converts data into XML (an in memory XML string) and write using OPENXML. I want to know if i write it to a csv file and use BCP,...
0
by: Micke | last post by:
On a code behing page to an aspx page I want to open a xml file in Excel and save it as an Excel file. I have following code that is working: Dim oExcel As New Excel.Application Dim oBook As...
2
by: Shilpa | last post by:
Hi All, I want to pass XML and the data in the XML should be stored in the tables of the database. However, I do not want to use the OpenXML statement. Please let me know. Regards, Shilpa
9
by: anupamjain | last post by:
Hi, After 2 weeks of search/hit-and-trial I finally thought to revert to the group to find solution to my problem.(something I should have done much earlier) This is the deal : On a JSP...
1
by: yingwen | last post by:
I have a xml similar like this: <Member ID="123"> <DateBorrowed>11-01-2006</DateBorrowed> <Book ID="222" Title="ABC"> <Category> Fiction</Category> </Book>...
7
by: Petra Meier | last post by:
Hello, if I use the following function for all my mySql commands in php, am I protected against all SQLinjections and XSS attacks? function sanitize($value){ return...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.