SQL injection attacks [LWN.net]

SQL injection attacks

Posted Mar 31, 2006 11:06 UTC (Fri) by pdc (guest, #1353)
In reply to: SQL injection attacks by jwb
Parent article: SQL injection attacks

To try to avoid this we do all access from a web app to the SQL Server database via stored procedures, with user input passed as parameters. At least then you can reastrict the privileges of the web application to just the procedures it needs to use. Makes the database development rather tedious, however.

to post comments

SQL injection attacks

Posted Mar 31, 2006 19:20 UTC (Fri) by dwkunkel (guest, #5999) [Link]

I use Oracle stored procedures to simplify my web applications. All the business logic is handled by stored procedures and there is no sql in the web pages. The pages just pass parameters to the appropriate stored procedure.

An Oracle stored procedure can return multiple reference cursors that can be cast to Java ResultSets and used directly in a web page. The reference cursors can also be converted to Cached RowSets and used in Data Transfer Objects. Performance is quite good because everything is done in a single trip to the database.

I don't know about SQL Server, but I find Oracle's PL/SQL to be an easy to use programming language that makes it relatively simple to produce very readable code.