SQL Injection Article

Roy pointed to this article about OO SQL Injection avoidance. Unfortunately, I'm going to have to disagree with him entirely about his excitement for this method. It still uses direct query strings, which is the biggest security risk imaginable. There is a real simple way to stop SQL Injection attacks, and it will be the focus of my next article on Builder.com (still open for business unlike Wrox): use Stored Procedures (SPROCS), and explicitly deny SELECT, INSERT, and DELETE privleges on your tables. Think what happens if someone gets your connection string and gets access to your database... they could have a field day.

While this article is very detailed and a great example, it is not nearly as effective as a solid function-based DAL design accessing restricted SPROCS.

I'll post a rough draft of the article in a few days (after my big AZDNUG presentation Tuesday night). The article doesn't hit Builder for a few weeks, but I can get it up here in the meantime, just to get you guys started.

1 Comment

  • I Agree. this is not the best way to handle it. simply, i pointed out another way, which i hadn;t thought of - Another direction for implementing these things.


Comments have been disabled for this content.