Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
VFP versus C#.Net
Message
From
14/10/2005 21:52:45
Martin Salias
Southworks
Argentina
 
 
To
14/10/2005 20:37:09
Mike Yearwood
Toronto, Ontario, Canada
General information
Forum:
Visual FoxPro
Category:
Visual FoxPro and .NET
Title:
Re: VFP versus C#.Net
Environment versions
Visual FoxPro:
VFP 8
OS:
Windows XP
Network:
Windows 2003 Server
Database:
Visual FoxPro
Miscellaneous
Thread ID:
01058840
Message ID:
01059382
Views:
12
Hi, Mike.

>I've read stuff that counters every argument you list here. Of most importance to me is the statement that "Parameterized ad-hoc SQL works just as well"
>
>http://weblogs.asp.net/rhoward/archive/2003/11/17/38095.aspx
>
>and in this article http://www.simple-talk.com/2005/04/11/to-sp-or-not-to-sp-in-sql-server/ the guy says
>
>"I do so knowing that I am not getting any unique security benefits using SPs, knowing that the performance benefits are not as clear cut as I once might have thought (but are still real in some cases), knowing how to leverage SPs to minimize the maintenance load, and understanding that I am more tied to SQL Server than I might be if I were to use ad-hoc SQL."

Please, read again my message. What they are saying is almost the same I said. Indeed, they are both more pro-SPs than I am, it seems. I'm not really a big fan of SPs, but learned to work with them because so many people want them in place, so I don't have the options on my side.

>Try this:
>
>Create a table called tblTest with a char (50) field called test_name. Add some dummy records to it. Just for fun add this text as the test_name of one of the records '';DROP TABLE tblTest
>
>Now run this...
>
>
STORE SQLCONNECT('db', 'userid, 'password') TO gnConnHandle
>IF gnConnHandle <= 0
>   = MESSAGEBOX('Cannot make connection', 16, 'SQL Connect Error')
>   RETURN .F.
>ENDIF
>
>LOCAL lcName
>*Simulate user input.
>lcName = "'';DROP TABLE tblTest"
>
>*Dynamically build a where clause consisting of named parameters.
>lcWhere = "where test_name = ?m.lcName"
>
>*Dynamically build the SQL.
>lcSQL = "select * from tblTest " + m.lcWhere
>?m.lcSQL
>SQLEXEC(m.gnConnHandle,m.lcSQL,"c_PersonList")
>BROWSE
>=SQLDISCONNECT(m.gnConnHandle)
>
>The profiler showed that this executed...
>
>
>
exec sp_executesql N'select * from tblTest where test_name = @P1 ', N'@P1 varchar(21)', ''''';DROP TABLE tblTest'
>
>I got back the record with this ''';DROP TABLE tblTest as the test_name field.
>
>So the parameter content was not executed - which would have left an injection opening.
>
>Isn't this the same effect?
>
Dim thisCommand As SQLCommand = New SQLCommand("SELECT Count(*) " & _
> "FROM Users WHERE UserName = @username AND Password = @password", Connection)
>thisCommand.Parameters.Add ("@username", SqlDbType.VarChar).Value = username
>thisCommand.Parameters.Add ("@password", SqlDbType.VarChar).Value = password
>Dim thisCount As Integer = thisCommand.ExecuteScalar()
Well, this is all dynamic SQL, not SPs. Dynamic SQL tends to be a better target for SQL injection. Notice, though, that neither of this attacks can succeed if you take the simple measure of ALWAYS VALIDATE USER INPUT, which is something I always make a point about. Of course, I won't use string concatenation neither.

Even so, SPs are not avoiding the chance if you get the parameters and do the same inside the SP.

Best regards,
Martín Salías
Developer and Architect
Agile Alliance member
C# MVP
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform