mailing list archives
Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs)
From: Steve.Kimble () ICL COM (Steve.Kimble () ICL COM)
Date: Wed, 1 Mar 2000 18:54:07 -0000
From: Jefferson Ogata
Sent: 28 February 2000 20:24
Bertrand Schmitt wrote:
If you use Stored Procedure calls in your ASP pages this can't
happen!! Manually creating SQL statements within ASP is poor design :
not as efficient and secured as storing them in your database server
(as stored procedures) and making a call to them without speaking
of coding properly : you do you reuse these pieces of code?!
Jefferson Ogata wrote:
Actually, it can be argued that using stored procedures is in general bad
design, as it buries your business rules down in the database layer. At the
same time, reliance on stored procedures usually locks you into a single
database vendor, thereby making the system unportable.
A better design is middleware.... (etc.)
I find the idea of transmitting unvalidated input directly to the database
leaving validation to the unportable stored procedure code to be distinctly
unsettling, and of no benefit to security.
Hell's bells! I can't imagine a database designer or coder _not_ performing
validation as the data is processed into a database, regardless of whether
has already been done. Also, the notion of "burying business rules in the
database" is totally sound, surely. Have we not (that's the IT industry
for many years, been attempting to tie our data closer to our business rules
so that the two become indistinguishable? Stored procedures are just part
of that. A simple view of the "data and the means to process it" is an
yes? If I could specify one "object" which equates to a complete business,
I think I'd make a mint and retire...no, on second thoughts, I think I'd
the idea very quiet, for similar reasons as the car industry has for not
abandoning reciprocating engines that run on oil products.
(Here please read usual stuff re. my opinions not being those of my