I am researching the use of OpenXml for doing mass updates/inserts.

Does anyone know how this procedure works as far as sql injection is
concerned? I've always been taught to use sp's with parameters...does
using OpenXML open up any holes in that idea?

My thinking is that it would be fine (maybe even better), because the
fields will still be treated as literals.

Alternatively, are there any other suggestions for doing massive
amounts of updates/inserts?

figital (mharen (AT) gmail (DOT) com) writes:
We have a few places in our where we used to send down lot a rows one
by one, where we now send down one big XML document for vastly improved
performance.

Assuming that you pass your XML document to a stored procedure, and
call that procedure through RPC (that is, not an EXEC statement), and
don't use dynamic SQL, there is entry for SQL injection.


--
Erland Sommarskog, SQL Server MVP, esquel (AT) sommarskog (DOT) se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinf...ons/books.mspx