Re: Dynamic SQL instead of stored procs?

Hi,

For projects where I am forced to use inline SQL, I typically have a
Queries subfolder in my application folder where I store all/most
queries each in a separate file. At runtime, I just read in the
particular file and execute the SQL within. If a bug crops up in the
SQL code, I can just change the file without having to recompile the
application.

You risk code injection calls. You must had security layer to this
folder or otherwise bad things can happen.

I would suggest using Stored Procesdures since it's good for
maintanance (Deployment, optimization etc.) and the main reason (for
me) is security. Using inline SQL (or dynamic) you can't force
execution denial. Stored Procedures security (In SQL Server 2000 and
up) can be managed quite roughly, and you can modulate the calls for
security modulation.

Moty.

.

Relevant Pages

  • Re: Multiple Database Security - How to handle
    ... There is no 'execute as' in SQL Server but you can simplify security ... Assuming the DM database contains tables that are accessed only by ...
    (microsoft.public.sqlserver.security)
  • [UNIX] Invision Power Board SQL Injection Vulnerability (sources/calendar.php)
    ... Get your security news from a reliable source. ... An SQL injection vulnerability in IPB's calendar support, ... We execute the following request: ... As it is a request of type SELECT, we can use for example the clause ...
    (Securiteam)
  • Re: How to execute a DTS script
    ... Ok so the sUID and sPWD you supply here are ONLY to get you onto the SQL Server to retrieve the package. ... In your Package there are connections and it would appear these are set to Windows authentication which means it is your IIS accounts that are being used to validate the connections. ... You are right, it's a security issue. ... ' Execute the Package ...
    (microsoft.public.sqlserver.dts)
  • Re: << Small Bus Server news of the week>>
    ... > will pick up the mail that is in the Incoming Mail folder. ... > A Chinese security group has released sample ... > Cyber law expert Pavan Duggal feels India's ... > A California blood bank has retrieved a stolen ...
    (microsoft.public.backoffice.smallbiz)
  • Re: << Small Bus Server news of the week>>
    ... > will pick up the mail that is in the Incoming Mail folder. ... > A Chinese security group has released sample ... > Cyber law expert Pavan Duggal feels India's ... > A California blood bank has retrieved a stolen ...
    (microsoft.public.backoffice.smallbiz2000)