|
|
Posted by Erland Sommarskog on 03/09/06 17:33
figital (mharen@gmail.com) writes:
> I am researching the use of OpenXml for doing mass updates/inserts.
>
> Does anyone know how this procedure works as far as sql injection is
> concerned? I've always been taught to use sp's with parameters...does
> using OpenXML open up any holes in that idea?
>
> My thinking is that it would be fine (maybe even better), because the
> fields will still be treated as literals.
>
> Alternatively, are there any other suggestions for doing massive
> amounts of updates/inserts?
We have a few places in our where we used to send down lot a rows one
by one, where we now send down one big XML document for vastly improved
performance.
Assuming that you pass your XML document to a stored procedure, and
call that procedure through RPC (that is, not an EXEC statement), and
don't use dynamic SQL, there is entry for SQL injection.
--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
Navigation:
[Reply to this message]
|