Re: Sql Security ?QL
From: Uri Dimant (urid_at_iscar.co.il)
Date: 11/17/04
- Next message: Dan Guzman: "Re: Sql Security ?QL"
- Previous message: Andrew J. Kelly: "Re: Best Practice - xp_cmdshell question"
- In reply to: WJ: "Sql Security ?QL"
- Next in thread: Dan Guzman: "Re: Sql Security ?QL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Nov 2004 10:05:12 +0200
WJ
Because you are using DYNAMIC SQL you will have to GRANT permissions on
underlying table.
To avoid this you can rewrite the dynamic code as UDF.
"WJ" <JohnWebbs@HotMail.Com> wrote in message
news:%23BAwtoFzEHA.2600@TK2MSFTNGP09.phx.gbl...
> I have the following two procedures:
>
> 1. Create Proc test1 @EmpNo Integer as
> select * from Employees where EmployeeID=@iEyeNo
> go
>
> 2. Create Proc test2 @EmpNo Integer as
> declare @sql varchar(80)
> set @sql='select * from Employees where EmployeeID='+@EmpNo
>
> EXEC @sql
> go
>
> ** I granted "Execute" privilege on both procedures above to a Windows
2003
> account called "NetWork Service". This account is used by Asp.Net
> applications to access MS/SQL Server 2000.
>
> The 1st proc works fine, however, the 2nd proc requires me to also Grant
> "Select" privilege on TABLE "Employees" to the "NetWork Service" account.
> Why is that ? I want to use the 2nd Proc because, in certain
circumstances,
> the EXEC will let me build dynamic query.
>
> Thanks,
>
> John
>
>
>
>
- Next message: Dan Guzman: "Re: Sql Security ?QL"
- Previous message: Andrew J. Kelly: "Re: Best Practice - xp_cmdshell question"
- In reply to: WJ: "Sql Security ?QL"
- Next in thread: Dan Guzman: "Re: Sql Security ?QL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
