[thelist] SProcs - SELECT queries

Ken Schaefer ken.schaefer at gmail.com
Fri Jun 24 04:04:27 CDT 2005


The use of Exec() within your Sproc (in this case) negates any of the
security aspects.

The code, as posted, is subject to SQL injection attack, as there is
no validation of Request element input, either in the ASP code, or in
the stored procedure.

Cheers
Ken


On 6/24/05, Brian Cummiskey <Brian at hondaswap.com> wrote:
> Matt Warden wrote:
> > Brian,
> >
> > On 6/23/05, Brian Cummiskey <Brian at hondaswap.com> wrote:
> >
> >>yup.  SP's are more efficient most of the time, and are way more secure
> >>as well.
> >
> >
> > Is he going to see the performance gains if his query is conditional like that?
> >
> 
> Probably not-  It's not a very intesive process anyway.  Unless the
> table has 20,000 rows or more, i don't see the gain or loss in either
> method.
> 
> The SQL will process all the variables first, and create the
> @querystring query BEFORE it ever selects anything.
> 
> the ASP would generate the same sql string to the server.
> 
> I guess the keyword here is "most of the time"  :p
> 
> --
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
>


More information about the thelist mailing list