[Dailydave] From blackbox to grey-box during Web App tests

[C Q]

Also, just because it's a parameterized stored procedure it doesn't
automatically mean that it's immune to sql injections (especially if you use
dynamic SQL inside of those procedures). On top of that there are also dev
related reasons why some choose not to use stored
procedures in general. Here are a few reasons:

1. They slow down the development process making it harder to do the testing
(overall application testing and the stored procedure testing).
2. Because of their procedural nature they are prone to code duplication
(which some developers try to avoid).
3. Integration / configuration management overhead managing separate stored
procedures and the main application code.


>         Why don't more people just use Parameterized Stored
> Proceedures?  Is it
> > because there are implimentation issues or because people don't know
> > about them? Whats your opinion?
>
> I wonder that too. Also, why don't people just not write integer
> overflows?
>
> With the snark bit cleared, I'll point out: lots of projects use
> stored procedures, but have some patches of functionality (like query
> builders) that are easiest to write with raw SQL.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071014/45411372/attachment.html