Websites and Database Views

What are the security implications of websites accessing database views instead of using stored procedures? The views in question are only being read from; not written to.

E开发者_JAVA技巧dit

The applications in question are ASP.Net MVC 2 using the Entity Framework (v.4).

One security implication - probably the biggest: Views leave you open to the same SQL Injection flaws that accessing tables directly does, if you're building your select statement based on user input.

That's about it, and only if you're basing your SQL statement on input. If you just have a view that is static and you never filter or sort based on input, just select fields from the view, you're no safer or less safe with a stored procedure that returns the same results without parameters.

Other than that, using stored procedures is, in my opinion, just a good habit, and in SQL Server you get optimization features from stored procedures, but that's not security related.

Views don't open you to injection attacks at all. Bad code does that. Even if you use stored procedures using concatenated/in-line SQL will do that for you no problem.

Use prepared statements. You will be fine. Views are 100 times easier to work with than debugging ugly stored procedures.