mailing list archives
Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs)
From: bertrand.schmitt () ARKADIA COM (Bertrand Schmitt)
Date: Wed, 1 Mar 2000 13:16:46 +0100
Actually, it can be argued that using stored procedures is in general bad
design, as it buries your business rules down in the database layer. At the
same time, reliance on stored procedures usually locks you into a single
database vendor, thereby making the system unportable.
Stored procedures are fast & efficient, so you have to choose!
A better design is middleware written in a proper, portable language that
enforce your business rules and validate all input thoroughly, and narrows
access to the database to a well-defined, well-protected interface.
can then make major mistakes in the interface code without risking database
compromise. In addition, using middleware gives you the opportunity of
language such as Perl that is well adapted to input validation and string
manipulation, and all the advantages of *real* code reuse.
But isn't ASP used as a middleware in that case?!
Using Perl as a well adapted middleware, and "a proper, portable language"
is quiet a funny thing!! You must be joking ??
Have you ever tried to maintain Perl code made by other people than you?
Tried to used its object-oriented features ;-)) ? Real code reuse in Perl!!!
Do you mean copy & paste operations???
complicated business logic you use trully advanced & proper programming
languages like C++ or even Java...
Stored procedures can be used for operations which have to be
very fast, or when you want to be sure of the "low-level" integrity
of your database ...
Chief Technical Office
mailto:bertrand.schmitt () arkadia com
Tel: +33(0)1 41214416
Fax: +33(0)1 41214415
42, rue Louis Calmel
92230 Gennevilliers - France
- Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Bertrand Schmitt (Mar 01)