command objects or not for stored procedures

[Mike D]

I use stored procedures in my asp using the connection object. I validate
any inputs to protect myself from SQL injection. Why is it, or isn't it
better to use the command object? I have used the command object with
parameters and the coding was a pain.

Comments?? I realize this is an open ended question but I am trying to
improve my skills/code if need be.

Thanks

Mike

 

[Bob Barrows [MVP]]

I use stored procedures in my asp using the connection object. I
validate any inputs to protect myself from SQL injection. Why is it,
or isn't it better to use the command object? I have used the
command object with parameters and the coding was a pain.

Here is my take on the matter:
http://tinyurl.com/jyy0

Basically, while validation can definitely slow down a hacker attempting to
use sql injection (usually to the point of forcing him to go find easier
pickings), new techniques to foil validation are being found all the time:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

The only sure way to prevent sql injection is to not use dynamic sql. This
means using parameters to pass arguments. In most cases, an explicit Command
object is not needed. Passing arguments by parameter relieves you of the
chore of dealing with delimiters, embedded or otherwise.

Bob Barrows

 

[Mike D]

Thanks Bob. Some of your questions to other posts are what prompted my
question. I will read the links and see what's up. I find myself in an
environment where I have to use both Oracle and MS SQL Server and stored
procedure in Oracle have so far required the command object to fire. It may
give me more practice.

Thanks
Mike