SQL Injection
Considering SQL injection attacks (and not performance reasons) what is difference between the two examples below? Taking the two examples into consideration I dont understand how using a SP is any safer against attacks?MySql = "SELECT field1 FROM table1 WHERE field2 = @search"
MyCommand = New SqlCommand(MySql, MyConnection)
Dim sp As SqlParameter = new SqlParameter
sp = MyCommand.Parameters.Add("@search",SqlDbType.VarChar)
sp.Value = Request.QueryString("search")
Versus
MyCommand = New SqlCommand("usp_search", MyConnection)
MyCommand.CommandType = CommandType.StoredProcedure Dim sp As SqlParameter = new SqlParameter
sp = MyCommand.Parameters.Add("@search",SqlDbType.VarChar)
sp.Value = Request.QueryString("search")
usp_search code:
CREATE PROCEDURE usp_search @search varchar(50)
SELECT field1
FROM table1
WHERE field2 = @search
GO