database access & asp.net

If a user has permissions to add and delete rows from a table i.e. adding
and removing items from an order what is to stop a malicious user changing
the product code in the form and then adding to or removing items to/from
another user's order ?
How do we ensure that the rows the user is editing are rows the user has
permission to edit ?
ThanksTwo words Application Architecture. Seriously you need to implement your
own security model if you want to provide for row level and field level
security.
Secondly if you are developing a web app the user should not have rights to
your database. The connection should be handled by an "Application User"
that in turn is managed by a Connection Pool.
Dan
"Murphy" <murphy@.murphy.com> wrote in message
news:%23wb%23$V%23oDHA.684@.TK2MSFTNGP09.phx.gbl...
> If a user has permissions to add and delete rows from a table i.e. adding
> and removing items from an order what is to stop a malicious user changing
> the product code in the form and then adding to or removing items to/from
> another user's order ?
> How do we ensure that the rows the user is editing are rows the user has
> permission to edit ?
> Thanks
>|||Are there any security models that have been tried and proven, don't want to
reinvent the wheel ?
Thanks
"solex" <solex@.nowhere.com> wrote in message
news:%23oTqDa%23oDHA.708@.TK2MSFTNGP10.phx.gbl...
> Two words Application Architecture. Seriously you need to implement your
> own security model if you want to provide for row level and field level
> security.
> Secondly if you are developing a web app the user should not have rights
to
> your database. The connection should be handled by an "Application User"
> that in turn is managed by a Connection Pool.
> Dan
> "Murphy" <murphy@.murphy.com> wrote in message
> news:%23wb%23$V%23oDHA.684@.TK2MSFTNGP09.phx.gbl...
> > If a user has permissions to add and delete rows from a table i.e.
adding
> > and removing items from an order what is to stop a malicious user
changing
> > the product code in the form and then adding to or removing items
to/from
> > another user's order ?
> >
> > How do we ensure that the rows the user is editing are rows the user has
> > permission to edit ?
> >
> > Thanks
> >
> >
>|||There are many security models but none that I have seen that will implement
row level security in your database. It has been my experience that if you
want granular security you will need to implement it on your own.
Dan
"Murphy" <murphy@.murphy.com> wrote in message
news:eosI6c%23oDHA.2652@.TK2MSFTNGP09.phx.gbl...
> Are there any security models that have been tried and proven, don't want
to
> reinvent the wheel ?
> Thanks
> "solex" <solex@.nowhere.com> wrote in message
> news:%23oTqDa%23oDHA.708@.TK2MSFTNGP10.phx.gbl...
> > Two words Application Architecture. Seriously you need to implement
your
> > own security model if you want to provide for row level and field level
> > security.
> >
> > Secondly if you are developing a web app the user should not have rights
> to
> > your database. The connection should be handled by an "Application
User"
> > that in turn is managed by a Connection Pool.
> >
> > Dan
> >
> > "Murphy" <murphy@.murphy.com> wrote in message
> > news:%23wb%23$V%23oDHA.684@.TK2MSFTNGP09.phx.gbl...
> > > If a user has permissions to add and delete rows from a table i.e.
> adding
> > > and removing items from an order what is to stop a malicious user
> changing
> > > the product code in the form and then adding to or removing items
> to/from
> > > another user's order ?
> > >
> > > How do we ensure that the rows the user is editing are rows the user
has
> > > permission to edit ?
> > >
> > > Thanks
> > >
> > >
> >
> >
>

DataAdapter - SELECT Statement - items in last 30 days

I'm using DataList to return vales stored in an SQL database, of which one of the fields contains the date the record was added.

I am trying to fill the dataset with items only from the last 30 days.
I've tried a few different ways, but all the database rows are returned.

What is the WHERE clause I sholud use to do this??

ThanksTry with the following SQL statement, i belive it should work.

select * from <tablename> where datediff(day, <columnname>, getdate()) < 30

Hope it solves your issue.|||Thanks very much, it worked a treat

DATA TYPE definitions

I am setting up columns in a data table. Where can I find the definitions and uses for all the items on the DATA TYPE drop down list such asntext andnchar? The data type list is also found under column properties general section.

SQL Server Books On Line is the best resource, so far. It shouldalready have been installed along with the database if you haveselected the option during installation. If not its a free downloadfrom MS website.
|||Thanks.
Yes, SQL is installed.
Will a book on SQL help me understand all of the other settings under column properties?
Are you talking about MS SQL?|||

When you install SQL Server you also installed the BOL(books online) the best documentation in the RDBMS(relational database management systems) business. The following are the data type and explanation based on my experience. Hope this helps.

Bigint, Int, Smallint, Tinyint and Bit(proprietry boolean) so three valued as ANSI SQL boolean true, fasle and Null(unknown) not an empty string.

Decimal and Numeric
You can set precision and scale.

Money and Smallmoney
There are known rounding issues going back to 1999 that I know better to use Decimal or Numeric

Float and Real floating point data types used for only T-SQL quantitative functions that are based on Float but cast or convert results to Decimal or Numeric to store.

Char fixed length ASCII character 8000 max, Varchar varaible length ASCII character 8000 max can overflow and Text can grow to 2gig in size ASCII text.

NChar fixed length Unicode 4000 max, NVarchar unicode variable length character 4000 max, NText unicode text can grow to 1gig in size because unicode types are multibytes.

Binary fixed length binary data 8000 max
Varbinary variable length binary data 8000 max
Image variable length binary data can grow to 2gig in size also known as BLOB(binary large objects)

Other Data Types
Cursor
A reference to a cursor.

Sql_variant

A data type that stores values of various SQL Server-supported data types, except text, ntext, timestamp, and sql_variant.

Table

A special data type used to store a result set for later processing .

Timestamp
A derived data type used by SQL Server internally cannot move with your data but you can creat fake one with datetime and trigger. A database-wide unique number that gets updated every time a row gets updated.

Uniqueidentifier/NewID
16 bytes data type to be used carefully

A globally unique identifier (GUID).

IDENTITY is a property to the column using it.

|||

Thank you for your time and info. That is helpful info.
Where can I find the books online?
I have installed Visual Web Developer Express 05 and SQL Server 05.

Thanks

|||

Hi
The links below the first holds a copy of the data type page in SQL Server 2000 and download the SQL Server 2005 BOL(books online) from the second link. Hope this helps.
http://www.mssqlcity.com/Articles/General/choose_data_type.htm

http://www.microsoft.com/downloads/details.aspx?familyid=BE6A2C5D-00DF-4220-B133-29C1E0B6585F&displaylang=en

|||

Yes, this helped a lot. Thanks.
I just downloaded the BOL for SQL 05.
Is there a list of other BOL for other subjects? (Especially Visual Web Developer Express 05)
I searched the MS download site, but I did not find any other books.

|||

Try the link below to download the .NET 2.0 SDK software development kit and take the visual web developer tour. Hope this helps.

http://www.microsoft.com/downloads/details.aspx?familyid=FE6F2099-B7B4-4F47-A244-C96D69C35DEC&displaylang=en

http://msdn.microsoft.com/vstudio/express/vwd/default.aspx

|||

HAving a few problems with BLOB and Oracle, when creating new automated DataSet, VS2005 believes those are 4000 of length.

http://alpascual.com/blog/al/archive/2006/07/25/238.aspx

Any advice?

Cheers

Al

|||

The links below covers all the Oracle data types and the .NET data types with code sample to get you started. Post again if you still need help.

http://msdn2.microsoft.com/en-us/library/system.data.oracleclient.oraclelob.aspx

http://msdn2.microsoft.com/en-us/library/system.data.oracleclient.oracletype.aspx