Bugtraq: Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs)

[bertrand.schmitt () ARKADIA COM (Bertrand Schmitt)]

> Actually, it can be argued that using stored procedures is in general bad
> design, as it buries your business rules down in the database layer. At the
> same time, reliance on stored procedures usually locks you into a single
> database vendor, thereby making the system unportable.
Stored procedures are fast & efficient, so you have to choose!

> A better design is middleware written in a proper, portable language that
can
> enforce your business rules and validate all input thoroughly, and narrows
the
> access to the database to a well-defined, well-protected interface.
Programmers
> can then make major mistakes in the interface code without risking database
> compromise. In addition, using middleware gives you the opportunity of
using a
> language such as Perl that is well adapted to input validation and string
> manipulation, and all the advantages of *real* code reuse.
But isn't ASP used as a middleware in that case?!

Using Perl as a well adapted middleware, and "a proper, portable language"
is quiet a funny thing!! You must be joking ??

Have you ever tried to maintain Perl code made by other people than you?
Tried to used its object-oriented features ;-)) ? Real code reuse in Perl!!!
Do you mean copy & paste operations???

With ASP you use a "glue" called JavaScript & VBScript, and for the really
complicated business logic you use trully advanced & proper programming
languages like C++ or even Java...

Stored procedures can be used for operations which have to be
very fast, or when you want to be sure of the "low-level" integrity
of your database ...

_____________________
Bertrand Schmitt
Chief Technical Office

mailto:bertrand.schmitt () arkadia com
http://www.arkadia.com

Tel: +33(0)1 41214416
Fax: +33(0)1 41214415

42, rue Louis Calmel
92230 Gennevilliers - France