Bugtraq mailing list archives
Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs)
From: Steve.Kimble () ICL COM (Steve.Kimble () ICL COM)
Date: Wed, 1 Mar 2000 18:54:07 -0000
-----Original Message----- From: Jefferson Ogata Sent: 28 February 2000 20:24
Bertrand Schmitt wrote: If you use Stored Procedure calls in your ASP pages this can't happen!! Manually creating SQL statements within ASP is poor design : not as efficient and secured as storing them in your database server (as stored procedures) and making a call to them without speaking of coding properly : you do you reuse these pieces of code?!
Jefferson Ogata wrote: Actually, it can be argued that using stored procedures is in general bad design, as it buries your business rules down in the database layer. At the same time, reliance on stored procedures usually locks you into a single database vendor, thereby making the system unportable.
A better design is middleware.... (etc.)
I find the idea of transmitting unvalidated input directly to the database
and
leaving validation to the unportable stored procedure code to be distinctly unsettling, and of no benefit to security.
Hell's bells! I can't imagine a database designer or coder _not_ performing validation as the data is processed into a database, regardless of whether this has already been done. Also, the notion of "burying business rules in the database" is totally sound, surely. Have we not (that's the IT industry "we"), for many years, been attempting to tie our data closer to our business rules so that the two become indistinguishable? Stored procedures are just part of that. A simple view of the "data and the means to process it" is an "object", yes? If I could specify one "object" which equates to a complete business, I think I'd make a mint and retire...no, on second thoughts, I think I'd keep the idea very quiet, for similar reasons as the car industry has for not abandoning reciprocating engines that run on oil products. Regards, Steve. (Here please read usual stuff re. my opinions not being those of my employers, etc.)
Current thread:
- Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Bertrand Schmitt (Mar 01)
- <Possible follow-ups>
- Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Steve.Kimble () ICL COM (Mar 01)