jatar_k - 2:46 pm on May 27, 2008 (gmt 0)

that's my understanding as well MatthewHSE, if you're security basics are covered then this is a non issue

>> the problem are most users prefer "Select * from tblUsers" than to create a stored procedure, set the parameters and call it

well, that isn't very concise. Properly processing all data from outside sources is the issue, whether you use a standard select or a stored procedure has little to do with it.

sorry pageone, that's been sticking in my craw since this morning. :)

>> if at all possible, switch to using a syntax with placeholders and separate values. Make sure you never insert a variable received from a web client directly into an SQL query

again, you don't need to switch to any particular system, the second part is the important part but I would take it a step farther

Never trust data from any outside source