tags:

views:

655

answers:

2
+2  Q: 

Parameterized queries WITHOUT stored procedures?

Every sample I've seen uses stored procedures. I've adopted an old application written in Classic ASP that uses inline SQL. This is an obvious issue, so I need to convert it to safer code. The client does not wish that I use stored procedures in this application, so is there a way to run parameterized queries without stored procedures?

Thanks

+5  A: 

Yes, there is. Have a look at some of these examples:

http://www.securestate.blogspot.com/2008/09/classic-asp-sql-injection-prevention_30.html http://www.userfriendlythinking.com/Blog/BlogDetail.asp?p1=7013&p2=119&p7=3001

AdaTheDev  2009-07-27 13:02:49
The first link does not appear to work
Chris  2009-07-27 13:23:27
It worked fine for me
Tom H.  2009-07-27 14:11:08
Just tested. Doesn't seem to load without the www but its fine with it. Thanks!
Chris  2009-07-27 14:18:29
The approach in the second link is my preference, the problem with the approach in the first link is it round trips to the SQL server whilst preparing the parameter set, the second approach doesn't do that since it creates the parameters explicitly.
AnthonyWJones  2009-07-30 08:08:11
The '%5F' in the URL causes a 404. Some browsers probably convert that to '_', which is why it works for some and not others.
outis  2009-10-22 03:14:33
A: 

Is there any reason why the client doesn't want to use stored procedures? It is much easier to use stored procedures both on the database level as well as in your source code. You should get query plan caching on your inline query if you use the second method from above, but depending on what you are doing you might be better off with simple sprocs if you can convince your client that it's ok to use them. If all else fails the links above are pretty solid, especially the second one.

tnolan  2009-08-03 18:25:11
-1: "easier" is subjective, and the use of stored procedures is not a guarantee against SQL injection.
RedFilter  2009-09-03 15:00:36
I don't think for a minute that this is a subjective thing. This is a standard concept of multi-tier development, separating your logic and data tiers. I also never said that stored procedures _guarantee_ protection against SQL injection. Parameterized queries and stored procedures will prevent many situations that happen from lazy coding allowing SQL injection, but it doesnt prevent dynamic queries in sprocs from being vulnerable among other things. A down vote seems pretty inappropriate considering this was a valid and insightful response.
tnolan  2009-09-10 22:07:32

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP