nickCREATIVEONLINEMEDIA.COM

• Next message: Peter Gutmann: "Re: Disk (over)quota in Windows 2000"
• Previous message: Vitek, Ian: "Infosec.20000229.axisstorpointcd.a"
• In reply to: Smith, Eric V.: "Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)"
• Reply: Nick Southwell: "Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The original problem was related to
code produced by site server wizards.

These wizards do not use SP's
It's quite a task to rewrite a whole
site as SP'ed. Maybe MS should be looking
at a move to this methodology.

In general the extra time in doing DB
access as SP's isn't justified, mainly
because people aren't aware of the issue.

Nick.

> This can still be a problem even if you use stored >
procedures. I've seen
> code like this:

> sql = "exec sp_name " & userdata

> If userdata contains '0; delete from table' then you've
got a problem.

> The best way around this is to use parameterized queries
> for all data
> access, including stored procedures, selects, inserts, >
and updates. Never
> build up sql statements from strings that include user >
input.

> Eric.

> If you use Stored Procedure calls in your ASP pages this
> can't
> happen!! Manually creating SQL statements within ASP is >
> poor design :
> not as efficient and secured as storing them in your
database server
> (as stored procedures) and making a call to them without
> speaking
> of coding properly : you do you reuse these pieces of
code?!

• Next message: Peter Gutmann: "Re: Disk (over)quota in Windows 2000"
• Previous message: Vitek, Ian: "Infosec.20000229.axisstorpointcd.a"
• In reply to: Smith, Eric V.: "Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)"
• Reply: Nick Southwell: "Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]