Re: Can this work - soft code SP table name in parameter?
From: David Portas (REMOVE_BEFORE_REPLYING_dportas_at_acm.org)
Date: 01/21/05
- Next message: Prabhat: "Current DB Name"
- Previous message: VNN: "Re: Best way to do this"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Can this work - soft code SP table name in parameter?"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 21 Jan 2005 08:01:13 -0000
> peripheral tables - there's no danger anyone can run the
> SP 'manually' or anything, due to the appropriate SQL user
> being the only person with permission to execute it.
Wrong. Did you read the article that Alejandro posted? Dynamic SQL forces
you to grant user-level access to tables, thereby destroying the key
security benefit of stored procedures. You should have a very good reason
for compromising security in this way: to save yourself a minute's work
cutting and pasting four SPs is not a good reason in my book. Dynamic SQL
should be a last resort.
-- David Portas SQL Server MVP --
- Next message: Prabhat: "Current DB Name"
- Previous message: VNN: "Re: Best way to do this"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Can this work - soft code SP table name in parameter?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
