Thread: Secure Coding
View Single Post
Old 19-07-2010, 17:53   #21
punky
Inactive
 
Join Date: Jun 2003
Age: 44
Posts: 14,750
punky has a golden aurapunky has a golden aura
punky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aura
Re: Secure Coding
Quote:
Originally Posted by Damien View Post
Like I mentioned previously. The database does require support. This is because the Parametrised Queries are not a query which is then escaped by the ADO.Net Framework.

Instead these are queries which are passed down to the database with the tokens (@whatever) to the database. The MS SQL database does two things, that I know of, first of all it caches a query execution plan. This allows it to perform subsequent operations marginally faster as, because the query has been parametrised , the only variables to the query are those parameters which it does not need yet.

Second; it inserts the parameter values which you pass down from your application.

Try it out. Write a parametrised query from your application and 'forget' to supply a parameter. The error thrown will be from the database and not the .Net framework.
You're correct, never realised that before.
punky is offline   Reply With Quote