Reply to Re: SQLInjection with OpenXML

Your name:

Reply:


Posted by Erland Sommarskog on 03/09/06 17:33

figital (mharen@gmail.com) writes:
> I am researching the use of OpenXml for doing mass updates/inserts.
>
> Does anyone know how this procedure works as far as sql injection is
> concerned? I've always been taught to use sp's with parameters...does
> using OpenXML open up any holes in that idea?
>
> My thinking is that it would be fine (maybe even better), because the
> fields will still be treated as literals.
>
> Alternatively, are there any other suggestions for doing massive
> amounts of updates/inserts?

We have a few places in our where we used to send down lot a rows one
by one, where we now send down one big XML document for vastly improved
performance.

Assuming that you pass your XML document to a stored procedure, and
call that procedure through RPC (that is, not an EXEC statement), and
don't use dynamic SQL, there is entry for SQL injection.


--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация