Home page logo

bugtraq logo Bugtraq mailing list archives

Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs)
From: bertrand.schmitt () ARKADIA COM (Bertrand Schmitt)
Date: Wed, 1 Mar 2000 13:16:46 +0100

Actually, it can be argued that using stored procedures is in general bad
design, as it buries your business rules down in the database layer. At the
same time, reliance on stored procedures usually locks you into a single
database vendor, thereby making the system unportable.

Stored procedures are fast & efficient, so you have to choose!

A better design is middleware written in a proper, portable language that
enforce your business rules and validate all input thoroughly, and narrows
access to the database to a well-defined, well-protected interface.
can then make major mistakes in the interface code without risking database
compromise. In addition, using middleware gives you the opportunity of
using a
language such as Perl that is well adapted to input validation and string
manipulation, and all the advantages of *real* code reuse.

But isn't ASP used as a middleware in that case?!

Using Perl as a well adapted middleware, and "a proper, portable language"
is quiet a funny thing!! You must be joking ??

Have you ever tried to maintain Perl code made by other people than you?
Tried to used its object-oriented features ;-)) ? Real code reuse in Perl!!!
Do you mean copy & paste operations???

With ASP you use a "glue" called JavaScript & VBScript, and for the really
complicated business logic you use trully advanced & proper programming
languages like C++ or even Java...

Stored procedures can be used for operations which have to be
very fast, or when you want to be sure of the "low-level" integrity
of your database ...

Bertrand Schmitt
Chief Technical Office

mailto:bertrand.schmitt () arkadia com

Tel: +33(0)1 41214416
Fax: +33(0)1 41214415

42, rue Louis Calmel
92230 Gennevilliers - France

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]