Stored Procedures vs No Stored Procedures - Security Viewpoint

Question

For a web application database, from a security standpoint only, what are arguments counter to the point for an sp only solution where the app db account ha

Answer 1

The only possible argument against is that I have run into cases where certain statements cannot be effectively parameterized in an SP (and dynamic sql is required) and this gives you the possibility of in-SP SQL-injection. This is really a very narrow consideration however and it is a rare case. At least in PostgreSQL I have once in a while seen a few cases where this had to be subject to extra review.

On the whole even in these cases, I think that SP type approaches give you a benefit security-wise because they mean that the application can use generic anti-SQL-Injection mechanisms where it might not otherwise be possible, and your SP can be used by many applications. Additionally if all activity must go through SP's then you can reduce your exposure to sql-injection and centralize the audits for problems.

In general, the less a user can do the less security exposure generally there is. This means the less a user can do with an sql injection attack.

Stored procedures generally give better and more granular security than you can do without.