Hello,
  Is is possible to create a user that it will use only "select"
statement and also lock the "LIKE" statement access from the user ?

Thank you
--
Charalampos Michael - [Creation Power] - http://www.creationpower.gr

Charalampos


Yes and No

Its possible to create a role which only has select privileges for a database and then allocate that role only to a user, but I don't know of any way to lock out a specific type of select.

If they're typing the statements in it should be possible to track back the permissions they have and block it in your app.

Roy Lambert [Team Elevate]

Dear Roy,

> Yes and No
>
> Its possible to create a role which only has select privileges for a database and then allocate that role only to a user, but I don't know of any way to lock out a specific type of select.
>
> If they're typing the statements in it should be possible to track back the permissions they have and block it in your app.
>
> Roy Lambert [Team Elevate]

Here's the problem. It's very easy to hack my application, on the other
hand it's not easy to have the EDB Server remotely ...

IOW, someone can tamper my application and replace the SQL which it will
give him full access to the tables ...

--
Charalampos Michael - [Creation Power] - http://www.creationpower.gr

Charalampos

>Here's the problem. It's very easy to hack my application, on the other
>hand it's not easy to have the EDB Server remotely ...

You could try to make it harder to hack your app

>IOW, someone can tamper my application and replace the SQL which it will
>give him full access to the tables ...

If your app allows for anyone to update data in the tables, or worse alter the structure of the tables, then you potentially have a problem. If your concern is viewing data in the app then, in my opinion, you have a much bigger problem. Its easier to secure a database from alteration than viewing.

However, suggestions:

1. Use ElevateDB's inbuilt security and only issue users with the appropriate privileges.
2. Do not give users access to typing in SQL but have a statement generator.
3. Modify the server to validate SQL commands before carrying them out

1 & 2 are a doddle. No 3 I have no idea where to begin

Roy Lambert [Team Elevate]

Michael,

<< Here's the problem. It's very easy to hack my application, on the other
hand it's not easy to have the EDB Server remotely ...

IOW, someone can tamper my application and replace the SQL which it will
give him full access to the tables ... >>

Does the user have direct access to the database catalog and table files ?
If so, then the EDB user security won't help much anyways unless the catalog
and table files are encrypted (the configuration files are always
encrypted).

--
Tim Young
Elevate Software
www.elevatesoft.com

Dear Tim,

> << Here's the problem. It's very easy to hack my application, on the
> other hand it's not easy to have the EDB Server remotely ...
>
> IOW, someone can tamper my application and replace the SQL which it will
> give him full access to the tables ... >>
>
> Does the user have direct access to the database catalog and table files
> ? If so, then the EDB user security won't help much anyways unless the
> catalog and table files are encrypted (the configuration files are
> always encrypted).

No, the client will have the client application which it will only
connect to my server. (IOW, the client will not have access to any
catalogs or tables)

--
Charalampos Michael - [Creation Power] - http://www.creationpower.gr

Dear Roy,

>> Here's the problem. It's very easy to hack my application, on the other
>> hand it's not easy to have the EDB Server remotely ...
>
> You could try to make it harder to hack your app

Well, everything can be cracked if it's loaded into memory.

> 1. Use ElevateDB's inbuilt security and only issue users with the appropriate privileges.

Is it easy to redict me to the manual for that ?

> 2. Do not give users access to typing in SQL but have a statement generator.

I don't. ALL SQL functions are hardcoded into the executable.

> 3. Modify the server to validate SQL commands before carrying them out

That's the best but it's too complicated ...

The best solution is what MySQL does:
http://dev.mysql.com/doc/refman/5.5/en/grant.html

GRANT SELECT, INSERT ON *.* TO 'someuser'@'somehost';

Tim ?

Thank you

--
Charalampos Michael - [Creation Power] - http://www.creationpower.gr

Charalampos

>> You could try to make it harder to hack your app
>
>Well, everything can be cracked if it's loaded into memory.

There are levels of security and paranoia beyond which its not sensible to proceed.

>> 1. Use ElevateDB's inbuilt security and only issue users with the appropriate privileges.
>
>Is it easy to redict me to the manual for that ?

I'd prefer to direct you to EDBManager - open it, select help, switch to the index and type User Security (the pdf manual refers you to it but its not there)

>> 2. Do not give users access to typing in SQL but have a statement generator.
>
>I don't. ALL SQL functions are hardcoded into the executable.

That is bad if you're concerned about security,  unless you compress and obfusticate your exe. Its what I do, but, if you look at your exe in a hex viewer you'll see all your lovely sql code.

>> 3. Modify the server to validate SQL commands before carrying them out
>
>That's the best but it's too complicated ...
>
>The best solution is what MySQL does:
>http://dev.mysql.com/doc/refman/5.5/en/grant.html
>
>GRANT SELECT, INSERT ON *.* TO 'someuser'@'somehost';

That's pretty much what you can do.

Roy Lambert [Team Elevate]

Michael,

<< No, the client will have the client application which it will only
connect to my server. (IOW, the client will not have access to any catalogs
or tables) >>

In that case, the built-in user security will do what you want:

http://www.elevatesoft.com/manual?action=viewtopic&id=edb2sql&topic=User_Security

--
Tim Young
Elevate Software
www.elevatesoft.com

Dear Tim,

> << No, the client will have the client application which it will only
> connect to my server. (IOW, the client will not have access to any
> catalogs or tables) >>
>
> In that case, the built-in user security will do what you want:
>
> http://www.elevatesoft.com/manual?action=viewtopic&id=edb2sql&topic=User_Security

Thanks for the link. My point was that this security system doesn't
support operators/conditions eg, "Like". (IOW to block the user to
use the "Like" operator)

Could you add it into your outstanding huge list please ? <vbg>

--
Charalampos Michael - [Creation Power] - http://www.creationpower.gr