Re: stored procedure security
From: Tenaya (ct_at_ct.ct)
Date: 04/08/04
- Next message: Tenaya: "Re: just below sysadmin"
- Previous message: poncho: "RE: just below sysadmin"
- In reply to: JAverill: "stored procedure security"
- Next in thread: Paul Ibison: "Re: stored procedure security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 8 Apr 2004 16:39:48 -0400
JAverill,
> Is there any way that I can create the dynamic sql statement and still
only have to grant the account
> execute privelages on the stored procedure, and nothing on the tables?
As soon as you employ dynamic sql, the logon executing the stored procedure
must have not only EXEC privileges on the stored procedure but appropriate
privileges on any object referenced within the dynamic SQL.
If you scan (via Google) the archives of this newsgroup, as well as the
.programming newsgroup, you will encounter extensive discussions about the
merits and disadvantages of using dynamic SQL.
Chief Tenaya
"JAverill" <anonymous@discussions.microsoft.com> wrote in message
news:26BFB211-7B11-4A81-8304-A4F0EFF6B25D@microsoft.com...
> I have created a stored procedure that dynamically creates a sql select
statement into a string based on the input variables, then executes the
string using "exec sp_SQLExec @sql". In order to execute this stored
procedure from ASP .NET I had to grant the account that the web server
connects to SQL select privelages on the tables I access in the stored
procedure. Is there any way that I can create the dynamic sql statement and
still only have to grant the account execute privelages on the stored
procedure, and nothing on the tables?
> Thanks!
- Next message: Tenaya: "Re: just below sysadmin"
- Previous message: poncho: "RE: just below sysadmin"
- In reply to: JAverill: "stored procedure security"
- Next in thread: Paul Ibison: "Re: stored procedure security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
