[14131] in bugtraq
Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated
daemon@ATHENA.MIT.EDU (Bertrand Schmitt)
Wed Mar 1 23:26:55 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BF8378.03A7E634"
Message-Id: <BEDFBD9FD17CD3118F7400105ACCDC86DA05@lanfeust.corp.arkadia.com>
Date: Wed, 1 Mar 2000 13:16:46 +0100
Reply-To: Bertrand Schmitt <bertrand.schmitt@ARKADIA.COM>
From: Bertrand Schmitt <bertrand.schmitt@ARKADIA.COM>
X-To: "jogata@NODC.NOAA.GOV" <jogata@NODC.NOAA.GOV>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BF8378.03A7E634
Content-Type: text/plain
>Actually, it can be argued that using stored procedures is in general bad
>design, as it buries your business rules down in the database layer. At the
>same time, reliance on stored procedures usually locks you into a single
>database vendor, thereby making the system unportable.
Stored procedures are fast & efficient, so you have to choose!
>A better design is middleware written in a proper, portable language that
can
>enforce your business rules and validate all input thoroughly, and narrows
the
>access to the database to a well-defined, well-protected interface.
Programmers
>can then make major mistakes in the interface code without risking database
>compromise. In addition, using middleware gives you the opportunity of
using a
>language such as Perl that is well adapted to input validation and string
>manipulation, and all the advantages of *real* code reuse.
But isn't ASP used as a middleware in that case?!
Using Perl as a well adapted middleware, and "a proper, portable language"
is quiet a funny thing!! You must be joking ??
Have you ever tried to maintain Perl code made by other people than you?
Tried to used its object-oriented features ;-)) ? Real code reuse in Perl!!!
Do you mean copy & paste operations???
With ASP you use a "glue" called JavaScript & VBScript, and for the really
complicated business logic you use trully advanced & proper programming
languages like C++ or even Java...
Stored procedures can be used for operations which have to be
very fast, or when you want to be sure of the "low-level" integrity
of your database ...
_____________________
Bertrand Schmitt
Chief Technical Office
mailto:bertrand.schmitt@arkadia.com
http://www.arkadia.com
Tel : +33(0)1 41214416
Fax : +33(0)1 41214415
42, rue Louis Calmel
92230 Gennevilliers - France
------_=_NextPart_001_01BF8378.03A7E634
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2650.12">
<TITLE>RE: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs)</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>>Actually, it can be argued that using stored procedures is in general bad</FONT>
<BR><FONT SIZE=2>>design, as it buries your business rules down in the database layer. At the</FONT>
<BR><FONT SIZE=2>>same time, reliance on stored procedures usually locks you into a single</FONT>
<BR><FONT SIZE=2>>database vendor, thereby making the system unportable.</FONT>
</P>
<P><FONT SIZE=2>Stored procedures are fast & efficient, so you have to choose!</FONT>
</P>
<P><FONT SIZE=2>>A better design is middleware written in a proper, portable language that can</FONT>
<BR><FONT SIZE=2>>enforce your business rules and validate all input thoroughly, and narrows the</FONT>
<BR><FONT SIZE=2>>access to the database to a well-defined, well-protected interface. Programmers</FONT>
<BR><FONT SIZE=2>>can then make major mistakes in the interface code without risking database</FONT>
<BR><FONT SIZE=2>>compromise. In addition, using middleware gives you the opportunity of using a</FONT>
<BR><FONT SIZE=2>>language such as Perl that is well adapted to input validation and string</FONT>
<BR><FONT SIZE=2>>manipulation, and all the advantages of *real* code reuse.</FONT>
</P>
<P><FONT SIZE=2>But isn't ASP used as a middleware in that case?!</FONT>
</P>
<P><FONT SIZE=2>Using Perl as a well adapted middleware, and "a proper, portable language"</FONT>
<BR><FONT SIZE=2>is quiet a funny thing!! You must be joking ??</FONT>
</P>
<P><FONT SIZE=2>Have you ever tried to maintain Perl code made by other people than you?</FONT>
<BR><FONT SIZE=2>Tried to used its object-oriented features ;-)) ? Real code reuse in Perl!!!</FONT>
<BR><FONT SIZE=2>Do you mean copy & paste operations???</FONT>
</P>
<P><FONT SIZE=2>With ASP you use a "glue" called JavaScript & VBScript, and for the really</FONT>
<BR><FONT SIZE=2>complicated business logic you use trully advanced & proper programming </FONT>
<BR><FONT SIZE=2>languages like C++ or even Java...</FONT>
</P>
<P><FONT SIZE=2>Stored procedures can be used for operations which have to be</FONT>
<BR><FONT SIZE=2>very fast, or when you want to be sure of the "low-level" integrity</FONT>
<BR><FONT SIZE=2>of your database ...</FONT>
</P>
<P><FONT SIZE=2>_____________________</FONT>
<BR><FONT SIZE=2>Bertrand Schmitt</FONT>
<BR><FONT SIZE=2>Chief Technical Office</FONT>
</P>
<P><FONT SIZE=2><A HREF="mailto:bertrand.schmitt@arkadia.com">mailto:bertrand.schmitt@arkadia.com</A> </FONT>
<BR><FONT SIZE=2><A HREF="http://www.arkadia.com" TARGET="_blank">http://www.arkadia.com</A></FONT>
</P>
<P><FONT SIZE=2>Tel : +33(0)1 41214416</FONT>
<BR><FONT SIZE=2>Fax : +33(0)1 41214415</FONT>
</P>
<P><FONT SIZE=2>42, rue Louis Calmel</FONT>
<BR><FONT SIZE=2>92230 Gennevilliers - France</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BF8378.03A7E634--
