Message: 5 Date: Thu, 24 Aug 2006 08:30:46 -0700 From: [EMAIL PROTECTED] Subject: RE: ProfoxTech Digest, Vol 39, Issue 93 To: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]>Content-Type: TEXT/plain; CHARSET=US-ASCII > From: MB Software Solutions <[EMAIL PROTECTED]> > > Mike yearwood wrote: > > > Don't be sold on stored procedures. If all you're doing is queries, > > there's no performance benefit whatsoever. There was a performance > > benefit in SQL 6.5, but that's ancient history. > > > Just ask Steve Russell. <gd&r> Just be sure that your limits for your return data are NEVER input into a textbox by a user. Or that text isn't pre screened before getting bound into your statement. :) Having a param could save your bacon.
If you are passing parameters via ad-hoc parameterized SQL, user text need not be pre-screened. The user text is not bound into the statement, it is bound to the parameters. lctext = "hacker entered sql injection" SQLEXEC(gnConnHandle, 'SELECT * FROM sometable where field = ?lctext', 'MyCursor') _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
