Timeline for When not to use ORM and prefer stored procedures?
Current License: CC BY-SA 4.0
12 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| S Oct 17, 2019 at 8:31 | history | suggested | Hemant | CC BY-SA 4.0 | corrected spellings |
| Oct 17, 2019 at 7:08 | review | Suggested edits | |||
| S Oct 17, 2019 at 8:31 | |||||
| Mar 6, 2013 at 2:56 | comment | added | NoChance | @WyattBarnett, thanks for your comment. Personally, dynamic SQL generation still scares me in large applications for many reasons. | |
| Mar 5, 2013 at 17:24 | comment | added | Wyatt Barnett | @EmmadKareem -- one of the biggest sql injections I've ever seen was a stored proc taking parameters and then generating dynamic SQL internally. This was a very common practice back in the early part of the century when the mantra was "always do data access via sprocs". | |
| Apr 4, 2012 at 23:08 | comment | added | rlperez | @EmmadKareem Parameterized sql is a big step in making it safe. I think this guy makes a reasonable case palpapers.plynt.com/issues/2006Jun/injection-stored-procedures . A search on it will "Stored Procedure SQL Injection" will turn up a lot of hits. It's always good to sanitize your inputs and a lot of platforms provide a built in way to do it reasonably well. | |
| Apr 4, 2012 at 22:49 | comment | added | NoChance | @Rig 1, thank you for your comment, I wish to learn more about what you think of this. My understanding comes from this text (at least):"You can thwart SQL Server injection attacks by using stored procedures and parameterized commands, avoiding dynamic SQL, and restricting permissions on all users." that appears in msdn.microsoft.com/en-us/library/bb669057.aspx | |
| Apr 4, 2012 at 20:55 | comment | added | rlperez | Stored procedures have virtually no impact on the vulnerability to sql injection attacks. Old myths die hard. | |
| Mar 23, 2012 at 12:01 | vote | accept | RPK | ||
| Mar 12, 2012 at 12:35 | comment | added | NoChance | @MainMa, thanks for your comment. My understanding is that using SPs, one could reduce the risk of SQL injection by the use of parameterized stored procedure with embedded parameters as this article suggests: palpapers.plynt.com/issues/2006Jun/injection-stored-procedures | |
| Mar 12, 2012 at 11:15 | comment | added | Arseni Mourzenko | I believe that the security argument is not related to SQL injection, but rather to the permissions (i.e. it's mostly straightforward to manage permissions for a specific stored procedure for the users which have access to the database, but managing those permissions on tables, columns and rows is either harder or impossible). Still, the security argument remains debatable. | |
| Mar 12, 2012 at 11:09 | history | edited | NoChance | CC BY-SA 3.0 | added 256 characters in body |
| Mar 12, 2012 at 11:03 | history | answered | NoChance | CC BY-SA 3.0 |