[thelist] Data validation (Best Practice) - asp/sql server

Thu Nov 18 10:18:46 CST 2004

   Well, that makes a bit of a difference :) 

   This seems to be a mostly SQL Server-centric article (the title is "Building SQL Server Applications").  It doesn't address any other platforms, so it may not be the best context in which to evaluate web security concerns.

   Even so, the author does implicitly mention your scenario; in that first paragraph, he writes "When implementing precautions against malicious input, consider the architecture and deployment scenarios of your application."  In your case, consideration of the architecture would lead one to conclude that there is a better place than stored procedures in which to validate user input.

For what it's worth...

Peter

  From: "Michael Pack"  michaelpack at wvdhhr.org 

Thanks for the info Peter! FYI - The article can be found at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/bldgapps/ba
_highprog_11kk.asp
. It claims best practice for data validation for SQL Server 2000
applications. Please let me know if I am not understanding the context.

Thanks.

>>> "Peter Brunone (EasyListBox.com)" 
11/18/2004 10:21:01 AM >>>

Hi Michael,

Without knowing any more about that article, I'd say it's wrong. If
you wait until you're in the stored proc for validation, you're opening
yourself up to SQL injection as well as involving more processes that
don't need to be involved at that stage. Besides, I found (back when I
did a lot of "Classic" ASP) that validating in the page was a lot easier
to do that trying to code it in TSQL (or any SQL, for that matter).

Again, maybe that line is taken out of context, but since that's all
I have here, I'd recommend ignoring that advice.

For more ASP best practices (and other subject matter), you might
want to consult the lists at http://www.aspfriends.com , since they have
very specialized groups dedicated to various aspects of ASP.

Cheers,

Peter

From: "Michael Pack" michaelpack at wvdhhr.org

Hi all, I'm back to collect some more information from all the gurus
out there. This time around I'm curious about best practice for data
validation. 

My current practice is to check against required fields before submit
using javascript. I then add an additional line of defense for required
fields with ASP conditional statements and perform all data validation
through vbscript as well. If all checks out I run the transaction.

I became a bit curious yesterday when I ran into a "Best Practice for
Validating User Input" article at MSDN that points out...

*> Use stored procedures to validate user input.

I'm wondering the cons and pros of using the database for validation
versus vbscript?

Thanks for any information.

-- 

* * Please support the community that supports you. * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester 
and archives of thelist go to: http://lists.evolt.org 
Workers of the Web, evolt ! 

--

* * Please support the community that supports you. * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !

-- 

* * Please support the community that supports you. * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester 
and archives of thelist go to: http://lists.evolt.org 
Workers of the Web, evolt ! 