|
From: James Rich How is this any better than simply using prepared statements? AFAIK prepared statements completely remove the possibility of SQL injection attacks. Statement scanning becomes completely unnecessary.
Well, that depends on what you're scanning for. You can avoid the more egregious SQL injection issues, but it won't necessarily guard against improper access. Using stored procedures gives you a bit more flexibility over guarding against invalid row and column-level access if, for instance, one user can access certain columns and another can't. Forced to make a choice between the two, prepared statements is certainly a preferable approach over dynamic SQL from a security perspective. Of course at that point, you are in effect hardcoding the SQL statement, so you lose some of the reasons that make SQL attractive in the first place. If you're going to limit the user to only those SQL statements you've hardcoded you might just as well use programmed native I/O and be done with it. Joe
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
