command objects or not for stored procedures

Discussion in 'ASP General' started by Mike D, Mar 1, 2005.

  1. Mike D

    Mike D Guest

    I use stored procedures in my asp using the connection object. I validate
    any inputs to protect myself from SQL injection. Why is it, or isn't it
    better to use the command object? I have used the command object with
    parameters and the coding was a pain.

    Comments?? I realize this is an open ended question but I am trying to
    improve my skills/code if need be.

    Thanks

    Mike
     
    Mike D, Mar 1, 2005
    #1
    1. Advertising

  2. Mike D wrote:
    > I use stored procedures in my asp using the connection object. I
    > validate any inputs to protect myself from SQL injection. Why is it,
    > or isn't it better to use the command object? I have used the
    > command object with parameters and the coding was a pain.
    >


    Here is my take on the matter:
    http://tinyurl.com/jyy0

    Basically, while validation can definitely slow down a hacker attempting to
    use sql injection (usually to the point of forcing him to go find easier
    pickings), new techniques to foil validation are being found all the time:
    http://mvp.unixwiz.net/techtips/sql-injection.html
    http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
    http://www.nextgenss.com/papers/advanced_sql_injection.pdf
    http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

    The only sure way to prevent sql injection is to not use dynamic sql. This
    means using parameters to pass arguments. In most cases, an explicit Command
    object is not needed. Passing arguments by parameter relieves you of the
    chore of dealing with delimiters, embedded or otherwise.

    Bob Barrows

    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
     
    Bob Barrows [MVP], Mar 1, 2005
    #2
    1. Advertising

  3. Mike D

    Mike D Guest

    Thanks Bob. Some of your questions to other posts are what prompted my
    question. I will read the links and see what's up. I find myself in an
    environment where I have to use both Oracle and MS SQL Server and stored
    procedure in Oracle have so far required the command object to fire. It may
    give me more practice.

    Thanks
    Mike

    "Bob Barrows [MVP]" wrote:

    > Mike D wrote:
    > > I use stored procedures in my asp using the connection object. I
    > > validate any inputs to protect myself from SQL injection. Why is it,
    > > or isn't it better to use the command object? I have used the
    > > command object with parameters and the coding was a pain.
    > >

    >
    > Here is my take on the matter:
    > http://tinyurl.com/jyy0
    >
    > Basically, while validation can definitely slow down a hacker attempting to
    > use sql injection (usually to the point of forcing him to go find easier
    > pickings), new techniques to foil validation are being found all the time:
    > http://mvp.unixwiz.net/techtips/sql-injection.html
    > http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
    > http://www.nextgenss.com/papers/advanced_sql_injection.pdf
    > http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
    >
    > The only sure way to prevent sql injection is to not use dynamic sql. This
    > means using parameters to pass arguments. In most cases, an explicit Command
    > object is not needed. Passing arguments by parameter relieves you of the
    > chore of dealing with delimiters, embedded or otherwise.
    >
    > Bob Barrows
    >
    > --
    > Microsoft MVP - ASP/ASP.NET
    > Please reply to the newsgroup. This email account is my spam trap so I
    > don't check it very often. If you must reply off-line, then remove the
    > "NO SPAM"
    >
    >
    >
     
    Mike D, Mar 1, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Taras
    Replies:
    2
    Views:
    4,817
    Rick Spiewak
    Oct 5, 2003
  2. Soumitra Banerjee

    Putting stored procedures in a dll

    Soumitra Banerjee, Feb 27, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    408
    Soumitra Banerjee
    Feb 27, 2004
  3. lhak
    Replies:
    1
    Views:
    5,447
    √Čric Moreau [VB MVP]
    Oct 23, 2004
  4. mono
    Replies:
    1
    Views:
    331
    David Waz...
    Jul 4, 2003
  5. Bari Allen
    Replies:
    5
    Views:
    4,724
    Daniel Walzenbach
    Nov 20, 2005
Loading...

Share This Page