SQL injection attacks
SQL injection attacks
Posted Mar 31, 2006 11:06 UTC (Fri) by pdc (guest, #1353)In reply to: SQL injection attacks by jwb
Parent article: SQL injection attacks
To try to avoid this we do all access from a web app to the SQL Server database via stored procedures, with user input passed as parameters. At least then you can reastrict the privileges of the web application to just the procedures it needs to use. Makes the database development rather tedious, however.
Posted Mar 31, 2006 19:20 UTC (Fri)
by dwkunkel (guest, #5999)
[Link]
An Oracle stored procedure can return multiple reference cursors that can be cast to Java ResultSets and used directly in a web page. The reference cursors can also be converted to Cached RowSets and used in Data Transfer Objects. Performance is quite good because everything is done in a single trip to the database.
I don't know about SQL Server, but I find Oracle's PL/SQL to be an easy to use programming language that makes it relatively simple to produce very readable code.
I use Oracle stored procedures to simplify my web applications. All the business logic is handled by stored procedures and there is no sql in the web pages. The pages just pass parameters to the appropriate stored procedure. SQL injection attacks