If a user has permissions to add and delete rows from a table i.e. adding
and removing items from an order what is to stop a malicious user changing
the product code in the form and then adding to or removing items to/from
another user's order ?
How do we ensure that the rows the user is editing are rows the user has
permission to edit ?
ThanksTwo words Application Architecture. Seriously you need to implement your
own security model if you want to provide for row level and field level
security.
Secondly if you are developing a web app the user should not have rights to
your database. The connection should be handled by an "Application User"
that in turn is managed by a Connection Pool.
Dan
"Murphy" <murphy@.murphy.com> wrote in message
news:%23wb%23$V%23oDHA.684@.TK2MSFTNGP09.phx.gbl...
> If a user has permissions to add and delete rows from a table i.e. adding
> and removing items from an order what is to stop a malicious user changing
> the product code in the form and then adding to or removing items to/from
> another user's order ?
> How do we ensure that the rows the user is editing are rows the user has
> permission to edit ?
> Thanks
>|||Are there any security models that have been tried and proven, don't want to
reinvent the wheel ?
Thanks
"solex" <solex@.nowhere.com> wrote in message
news:%23oTqDa%23oDHA.708@.TK2MSFTNGP10.phx.gbl...
> Two words Application Architecture. Seriously you need to implement your
> own security model if you want to provide for row level and field level
> security.
> Secondly if you are developing a web app the user should not have rights
to
> your database. The connection should be handled by an "Application User"
> that in turn is managed by a Connection Pool.
> Dan
> "Murphy" <murphy@.murphy.com> wrote in message
> news:%23wb%23$V%23oDHA.684@.TK2MSFTNGP09.phx.gbl...
> > If a user has permissions to add and delete rows from a table i.e.
adding
> > and removing items from an order what is to stop a malicious user
changing
> > the product code in the form and then adding to or removing items
to/from
> > another user's order ?
> >
> > How do we ensure that the rows the user is editing are rows the user has
> > permission to edit ?
> >
> > Thanks
> >
> >
>|||There are many security models but none that I have seen that will implement
row level security in your database. It has been my experience that if you
want granular security you will need to implement it on your own.
Dan
"Murphy" <murphy@.murphy.com> wrote in message
news:eosI6c%23oDHA.2652@.TK2MSFTNGP09.phx.gbl...
> Are there any security models that have been tried and proven, don't want
to
> reinvent the wheel ?
> Thanks
> "solex" <solex@.nowhere.com> wrote in message
> news:%23oTqDa%23oDHA.708@.TK2MSFTNGP10.phx.gbl...
> > Two words Application Architecture. Seriously you need to implement
your
> > own security model if you want to provide for row level and field level
> > security.
> >
> > Secondly if you are developing a web app the user should not have rights
> to
> > your database. The connection should be handled by an "Application
User"
> > that in turn is managed by a Connection Pool.
> >
> > Dan
> >
> > "Murphy" <murphy@.murphy.com> wrote in message
> > news:%23wb%23$V%23oDHA.684@.TK2MSFTNGP09.phx.gbl...
> > > If a user has permissions to add and delete rows from a table i.e.
> adding
> > > and removing items from an order what is to stop a malicious user
> changing
> > > the product code in the form and then adding to or removing items
> to/from
> > > another user's order ?
> > >
> > > How do we ensure that the rows the user is editing are rows the user
has
> > > permission to edit ?
> > >
> > > Thanks
> > >
> > >
> >
> >
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment