Microsoft Techniques While Oracle used a SQL scrubbing procedure to ensure commands sent to the database were safe, Microsoft went one step further. In addition to a SQL validation class, Microsoft staffers encapsulated every database query and command needed by the application into separate stored procedures.Microsoft chose to use C# as the language for the application. For parameter validation and user authentication, Microsoft used ASP .Nets built-in forms validation and user authentication manager, respectively. Microsoft staffers also used encryption for user passwords and credit card data. They did this job in application server code using Windows built-in encryption APIs and stored the encryption key in the registry. The key was further protected by registry access controls so that only the Web application user account and administrator accounts had access to the key. Microsoft also configured IIS and ASP .Net to return a generic error page if an error occurs. Microsoft also configured IIS and ASP .Net to return a generic error page if an error occurs. The Microsoft test application can be accessed at www.ms.openhack.com/default.aspx.
"The Web user has no access to the base tables," said Erik Olson, program manager, Microsoft .Net Framework team, in Redmond, Wash., and the person who did most of the coding on the Microsoft application. "Theres probably 20 [stored procedures] altogether. Every time there was some unit of work to be done, we broke that down into a stored procedure. There are two primary reasons: Its a lot easier to guard against SQL injection attacks because the database strongly types the data. The other thing is you tend to get a little bit better performance."