Microsoft Techniques

By Timothy Dyck  |  Posted 2002-10-14 Print this article Print

Microsoft Techniques

While Oracle used a SQL scrubbing procedure to ensure commands sent to the database were safe, Microsoft went one step further. In addition to a SQL validation class, Microsoft staffers encapsulated every database query and command needed by the application into separate stored procedures.

"The Web user has no access to the base tables," said Erik Olson, program manager, Microsoft .Net Framework team, in Redmond, Wash., and the person who did most of the coding on the Microsoft application. "Theres probably 20 [stored procedures] altogether. Every time there was some unit of work to be done, we broke that down into a stored procedure. There are two primary reasons: Its a lot easier to guard against SQL injection attacks because the database strongly types the data. The other thing is you tend to get a little bit better performance."

Microsoft chose to use C# as the language for the application. For parameter validation and user authentication, Microsoft used ASP .Nets built-in forms validation and user authentication manager, respectively.

Microsoft staffers also used encryption for user passwords and credit card data. They did this job in application server code using Windows built-in encryption APIs and stored the encryption key in the registry. The key was further protected by registry access controls so that only the Web application user account and administrator accounts had access to the key.

Microsoft also configured IIS and ASP .Net to return a generic error page if an error occurs.

Microsoft also configured IIS and ASP .Net to return a generic error page if an error occurs. The Microsoft test application can be accessed at

Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel