Parm SQL Statements, necessary?

  • In an effort to reduce SQL Injection attacks with my ASP application, I use VB functions within ASP to strip apostrophes, as well as SELECT, INSERT, DELETE, XP_, etc from any value passed from a form to the actual execution statement.

    My question is, I find that coding parameters are a pain, or just a little more complicate than a normal T-SQL statement.  What is the additional risk by not using the spexecute and parms?  Grant that I have stripped any characters that would make a single statement into a mult-statement?

    Thanks for your advice...


    "Life without progression is entropy"
    Sam Jaynes

  • I think what you're saying is that you've written code that effectively negates the need for spexecute and params.  The danger then is that your code has missed something that might be caught with another method.  Also, you've got to maintain your VB code in case a new threat emerges that no one has thought of yet.

    I'll bow out now and grab some popcorn while waiting for the sproc brigade to enter the fray

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply