Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » ElevateDB Technical Support » Support Forums » ElevateDB General » View Thread |
Messages 1 to 10 of 29 total |
Locking statements |
Mon, Feb 14 2011 7:01 AM | Permanent Link |
Charalampos Michael | Hello,
Is is possible to create a user that it will use only "select" statement and also lock the "LIKE" statement access from the user ? Thank you -- Charalampos Michael - [Creation Power] - http://www.creationpower.gr |
Mon, Feb 14 2011 8:06 AM | Permanent Link |
Roy Lambert NLH Associates Team Elevate | Charalampos
Yes and No Its possible to create a role which only has select privileges for a database and then allocate that role only to a user, but I don't know of any way to lock out a specific type of select. If they're typing the statements in it should be possible to track back the permissions they have and block it in your app. Roy Lambert [Team Elevate] |
Mon, Feb 14 2011 11:28 AM | Permanent Link |
Charalampos Michael | Dear Roy,
> Yes and No > > Its possible to create a role which only has select privileges for a database and then allocate that role only to a user, but I don't know of any way to lock out a specific type of select. > > If they're typing the statements in it should be possible to track back the permissions they have and block it in your app. > > Roy Lambert [Team Elevate] Here's the problem. It's very easy to hack my application, on the other hand it's not easy to have the EDB Server remotely ... IOW, someone can tamper my application and replace the SQL which it will give him full access to the tables ... -- Charalampos Michael - [Creation Power] - http://www.creationpower.gr |
Tue, Feb 15 2011 4:23 AM | Permanent Link |
Roy Lambert NLH Associates Team Elevate | Charalampos
>Here's the problem. It's very easy to hack my application, on the other >hand it's not easy to have the EDB Server remotely ... You could try to make it harder to hack your app >IOW, someone can tamper my application and replace the SQL which it will >give him full access to the tables ... If your app allows for anyone to update data in the tables, or worse alter the structure of the tables, then you potentially have a problem. If your concern is viewing data in the app then, in my opinion, you have a much bigger problem. Its easier to secure a database from alteration than viewing. However, suggestions: 1. Use ElevateDB's inbuilt security and only issue users with the appropriate privileges. 2. Do not give users access to typing in SQL but have a statement generator. 3. Modify the server to validate SQL commands before carrying them out 1 & 2 are a doddle. No 3 I have no idea where to begin Roy Lambert [Team Elevate] |
Tue, Feb 15 2011 8:08 AM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Michael,
<< Here's the problem. It's very easy to hack my application, on the other hand it's not easy to have the EDB Server remotely ... IOW, someone can tamper my application and replace the SQL which it will give him full access to the tables ... >> Does the user have direct access to the database catalog and table files ? If so, then the EDB user security won't help much anyways unless the catalog and table files are encrypted (the configuration files are always encrypted). -- Tim Young Elevate Software www.elevatesoft.com |
Tue, Feb 15 2011 8:29 AM | Permanent Link |
Charalampos Michael | Dear Tim,
> << Here's the problem. It's very easy to hack my application, on the > other hand it's not easy to have the EDB Server remotely ... > > IOW, someone can tamper my application and replace the SQL which it will > give him full access to the tables ... >> > > Does the user have direct access to the database catalog and table files > ? If so, then the EDB user security won't help much anyways unless the > catalog and table files are encrypted (the configuration files are > always encrypted). No, the client will have the client application which it will only connect to my server. (IOW, the client will not have access to any catalogs or tables) -- Charalampos Michael - [Creation Power] - http://www.creationpower.gr |
Tue, Feb 15 2011 8:39 AM | Permanent Link |
Charalampos Michael | Dear Roy,
>> Here's the problem. It's very easy to hack my application, on the other >> hand it's not easy to have the EDB Server remotely ... > > You could try to make it harder to hack your app Well, everything can be cracked if it's loaded into memory. > 1. Use ElevateDB's inbuilt security and only issue users with the appropriate privileges. Is it easy to redict me to the manual for that ? > 2. Do not give users access to typing in SQL but have a statement generator. I don't. ALL SQL functions are hardcoded into the executable. > 3. Modify the server to validate SQL commands before carrying them out That's the best but it's too complicated ... The best solution is what MySQL does: http://dev.mysql.com/doc/refman/5.5/en/grant.html GRANT SELECT, INSERT ON *.* TO 'someuser'@'somehost'; Tim ? Thank you -- Charalampos Michael - [Creation Power] - http://www.creationpower.gr |
Tue, Feb 15 2011 10:12 AM | Permanent Link |
Roy Lambert NLH Associates Team Elevate | Charalampos
>> You could try to make it harder to hack your app > >Well, everything can be cracked if it's loaded into memory. There are levels of security and paranoia beyond which its not sensible to proceed. >> 1. Use ElevateDB's inbuilt security and only issue users with the appropriate privileges. > >Is it easy to redict me to the manual for that ? I'd prefer to direct you to EDBManager - open it, select help, switch to the index and type User Security (the pdf manual refers you to it but its not there) >> 2. Do not give users access to typing in SQL but have a statement generator. > >I don't. ALL SQL functions are hardcoded into the executable. That is bad if you're concerned about security, unless you compress and obfusticate your exe. Its what I do, but, if you look at your exe in a hex viewer you'll see all your lovely sql code. >> 3. Modify the server to validate SQL commands before carrying them out > >That's the best but it's too complicated ... > >The best solution is what MySQL does: >http://dev.mysql.com/doc/refman/5.5/en/grant.html > >GRANT SELECT, INSERT ON *.* TO 'someuser'@'somehost'; That's pretty much what you can do. Roy Lambert [Team Elevate] |
Wed, Feb 16 2011 4:42 PM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Michael,
<< No, the client will have the client application which it will only connect to my server. (IOW, the client will not have access to any catalogs or tables) >> In that case, the built-in user security will do what you want: http://www.elevatesoft.com/manual?action=viewtopic&id=edb2sql&topic=User_Security -- Tim Young Elevate Software www.elevatesoft.com |
Wed, Feb 16 2011 5:52 PM | Permanent Link |
Charalampos Michael | Dear Tim,
> << No, the client will have the client application which it will only > connect to my server. (IOW, the client will not have access to any > catalogs or tables) >> > > In that case, the built-in user security will do what you want: > > http://www.elevatesoft.com/manual?action=viewtopic&id=edb2sql&topic=User_Security Thanks for the link. My point was that this security system doesn't support operators/conditions eg, "Like". (IOW to block the user to use the "Like" operator) Could you add it into your outstanding huge list please ? <vbg> -- Charalampos Michael - [Creation Power] - http://www.creationpower.gr |
Page 1 of 3 | Next Page » | |
Jump to Page: 1 2 3 |
This web page was last updated on Tuesday, May 7, 2024 at 06:25 PM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |