Windows Based Database Program

C

Cheetah

Well-known member
Joined
Oct 12, 2006
Messages
232
Programming Experience
Beginner
Hi there,

Do I have to take the same security precautions when using windows based database programs as with a web based security program?

Like for instance in PHP i have to protect against SQL Injections etc....

Do I have to do the same for windows based programming?

Thanks.
 
Sort by date Sort by votes
I think everyone recommends parameterizing your query variables instead of building queries up from raw strings and literals. My impression is that this is largely for the purpose of combatting SQL injections. But it's not much extra effort. I don't guess that executable script code can be injected the way it can through HTTP. (You're probably looking for a more expert opinion than mine. :) )
 
Upvote 0 Downvote
Always always always use parameterized queries, even dynamic ones.

All DB apps not using parameterized queries are liable to sql injection. DOnt assume that jsut because its not a public app on a webserver, that someone isnt going to break it intentionally or otherwise. Paramqueries are faster too, because the DB engine knows exactly what to cache and pre-plan. Additionally, the code is cleaner, more self explanatory and less resource intensive on the client side.

Infact, I cant think of a good reason NOT to use a paramquery. If anyone knows one, let me know!


repeat after me:
"The '80s are over. I will hence never ever use non-parameterized queries"
 
Upvote 0 Downvote
I dont use parameterized queries in my application with a public portal. But my app isnt quite normal. I simply compare the password and id to a pre-queried collection of users and passwords. I found that I was making far to many queries to my database and with a few simply objects that dont really change (like users and passwords) which are updated every few minutes, I was able to cut the amount of queries down considerably (over 50%). Since users dont have any connection to the database I cant be affected by sql injection attacks (but I admit this was a problem at one point, the objects solved it completely (this was before I had heard about parameterized queries as well)).
I admit however that Im wanting to play around with the parameterized queries once I get some time and see how they impact on performance and design. Also wondering how they would impact on my maintince of the code. Not that I am having any problems in that area at the moment.
On another note there are places in my code that Im confident will improve with the parameterized. I just havent done it mainly due to time constraints.
 
Last edited:
Upvote 0 Downvote

Similar threads

M
  • Question
Error open SQL Database Visual Basic 2012
Replies
2
Views
626
jmcilhinney
jmcilhinney
V
  • Question
Is there a forum designed to collaborate on a VB.net project?
Replies
2
Views
582
DualBrain
DualBrain
Z
  • Question
Not Sure How To Do A Control Array Or Pass An Object To A Sub
Replies
3
Views
1K
jdelano
J
A
  • Solved
Resolved My Project
Replies
6
Views
821
JohnH
JohnH
Zexor
  • Question
Question setforgroundwindow
Replies
1
Views
481
jmcilhinney
jmcilhinney

Share this page

Latest posts

Back
Top