Re: Preventing Injection - Client Side
From: Willy (willrich33_at_yahoo.com)
Date: 11/10/05
- Next message: Sophie Guo [MSFT]: "Re: SQL 2005 dbo user issue"
- Previous message: resant_v_at_yahoo.com: "Re: How to Run Job without Sysadmin Role"
- In reply to: Dan Guzman: "Re: Preventing Injection - Client Side"
- Next in thread: Geoff N. Hiten: "Re: Preventing Injection - Client Side"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 09 Nov 2005 20:21:43 -0800
Dan,David:
Thank you for making me think about security.
My application does not allow the user to use tables under any other
username (such as dbo) so he is fairly isolated. I realize Access
defaults to dbo but I will be shutting the database window down.
I tried to import a file to my database under a different username (like
dbo) but Access converted it back to the username of the new
database/login so that seems somewhat secure. This is why I am using
Access for a client program.
I am not coding for characters other than Like *[A-Z0-9] so the purging
of other characters from the column and table names that the user has
control of will have to do for now.
In the documentation I am going to highly recommend "isolating" the
application in separate db for "security reasons."
Thank you for suggesting parameters and DML as solutions for preventing
injection. I will keep my eye out for information on them.
I really need to learn more about SQL Server permissions and security.
Willy
*** Sent via Developersdex http://www.developersdex.com ***
- Next message: Sophie Guo [MSFT]: "Re: SQL 2005 dbo user issue"
- Previous message: resant_v_at_yahoo.com: "Re: How to Run Job without Sysadmin Role"
- In reply to: Dan Guzman: "Re: Preventing Injection - Client Side"
- Next in thread: Geoff N. Hiten: "Re: Preventing Injection - Client Side"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
