Bugtraq mailing list archives
Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs)
From: bertrand.schmitt () ARKADIA COM (Bertrand Schmitt)
Date: Wed, 1 Mar 2000 13:16:46 +0100
Actually, it can be argued that using stored procedures is in general bad design, as it buries your business rules down in the database layer. At the same time, reliance on stored procedures usually locks you into a single database vendor, thereby making the system unportable.
Stored procedures are fast & efficient, so you have to choose!
A better design is middleware written in a proper, portable language that
can
enforce your business rules and validate all input thoroughly, and narrows
the
access to the database to a well-defined, well-protected interface.
Programmers
can then make major mistakes in the interface code without risking database compromise. In addition, using middleware gives you the opportunity of
using a
language such as Perl that is well adapted to input validation and string manipulation, and all the advantages of *real* code reuse.
But isn't ASP used as a middleware in that case?! Using Perl as a well adapted middleware, and "a proper, portable language" is quiet a funny thing!! You must be joking ?? Have you ever tried to maintain Perl code made by other people than you? Tried to used its object-oriented features ;-)) ? Real code reuse in Perl!!! Do you mean copy & paste operations??? With ASP you use a "glue" called JavaScript & VBScript, and for the really complicated business logic you use trully advanced & proper programming languages like C++ or even Java... Stored procedures can be used for operations which have to be very fast, or when you want to be sure of the "low-level" integrity of your database ... _____________________ Bertrand Schmitt Chief Technical Office mailto:bertrand.schmitt () arkadia com http://www.arkadia.com Tel: +33(0)1 41214416 Fax: +33(0)1 41214415 42, rue Louis Calmel 92230 Gennevilliers - France
Current thread:
- Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Bertrand Schmitt (Mar 01)
- <Possible follow-ups>
- Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Steve.Kimble () ICL COM (Mar 01)