SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-29-2008, 06:39 PM
| ||||
| ||||
 SQLInjection with OpenXML I am researching the use of OpenXml for doing mass updates/inserts. Does anyone know how this procedure works as far as sql injection is concerned? I've always been taught to use sp's with parameters...does using OpenXML open up any holes in that idea? My thinking is that it would be fine (maybe even better), because the fields will still be treated as literals. Alternatively, are there any other suggestions for doing massive amounts of updates/inserts?      |
|
02-29-2008, 06:39 PM
| ||||
| ||||
| Re: SQLInjection with OpenXML figital (mharen@gmail.com) writes: > I am researching the use of OpenXml for doing mass updates/inserts. > > Does anyone know how this procedure works as far as sql injection is > concerned? I've always been taught to use sp's with parameters...does > using OpenXML open up any holes in that idea? > > My thinking is that it would be fine (maybe even better), because the > fields will still be treated as literals. > > Alternatively, are there any other suggestions for doing massive > amounts of updates/inserts? We have a few places in our where we used to send down lot a rows one by one, where we now send down one big XML document for vastly improved performance. Assuming that you pass your XML document to a stored procedure, and call that procedure through RPC (that is, not an EXEC statement), and don't use dynamic SQL, there is entry for SQL injection. -- Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se Books Online for SQL Server 2005 at http://www.microsoft.com/technet/pro...ads/books.mspx Books Online for SQL Server 2000 at http://www.microsoft.com/sql/prodinf...ons/books.mspx |
Linear Mode
