Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » ElevateDB Technical Support » Support Forums » ElevateDB General » View Thread |
Messages 21 to 29 of 29 total |
Locking statements |
Fri, Feb 18 2011 12:43 PM | Permanent Link |
Charalampos Michael | Dear Steve,
> IMHO I think it would be a nightmare having permissions down to that level. Do other databases do this? I've never seen it in MS SQL Server or Oracle. Nope, the mechanism/code is already ready, just an extensions of it. -- Charalampos Michael - [Creation Power] - http://www.creationpower.gr |
Tue, Feb 22 2011 8:29 AM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Roy,
<< Tim it might be a good idea when cross referencing manuals to make it clear. >> The PDFs are notoriously a pain in the butt to deal with due to their format limitations compared to HTML or something with proper hyper-linking support in a URL format. Revamping the way that the PDFs are generated is pretty low on the list right now. -- Tim Young Elevate Software www.elevatesoft.com |
Tue, Feb 22 2011 8:30 AM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Michael,
<< Thanks for the link. My point was that this security system doesn't support operators/conditions eg, "Like". (IOW to block the user to use the "Like" operator) >> What are you trying to accomplish ? IOW, what is the reasoning behind not allowing a user to user LIKE ? Is it a performance consideration ? -- Tim Young Elevate Software www.elevatesoft.com |
Tue, Feb 22 2011 8:45 AM | Permanent Link |
Roy Lambert NLH Associates Team Elevate | Tim
><< Tim it might be a good idea when cross referencing manuals to make it >clear. >> > >The PDFs are notoriously a pain in the butt to deal with due to their format >limitations compared to HTML or something with proper hyper-linking support >in a URL format. Revamping the way that the PDFs are generated is pretty >low on the list right now. > Fair enough. However, just to make it clear, I wasn't suggesting anything sophisticated like automatically jumping to the correct PDF just a simple "(see the sql manual)" after the reference to user security. Roy Lambert |
Wed, Feb 23 2011 1:48 AM | Permanent Link |
Charalampos Michael | Dear Tim,
> What are you trying to accomplish ? IOW, what is the reasoning behind > not allowing a user to user LIKE ? Is it a performance consideration ? For someone to steal the whole data of the Table. Eg, i use the following SQL to get a particular customer data: SELECT * FROM CUSTOMER_DATA WHERE CUSTOMERID = 10 Now, if someone hack this SQL and Delete's WHERE it will give him access to all the Data on the table, right ? That's what i want to prevent! -- Charalampos Michael - [Creation Power] - http://www.creationpower.gr |
Wed, Feb 23 2011 4:15 AM | Permanent Link |
Roy Lambert NLH Associates Team Elevate | Charalampos
Blocking access to LIKE would not prevent the scenario you just described. <rant on> I work in an industry which is very datacentric - recruitment. The reason I started using Delphi (version 1) was to develop systems for myself initially and then for my staff as I got some. Initially I had a cheap printer hooked up to everyone's PC. I had to remove them because one individual was quietly printing out the whole database - one contact (= customer or potential customer) and one candidate at a time. I mention that because you can't stop people stealing the data the best you can do is make it difficult. At some point the cost of making it any more difficult in terms of time & money spent and hair pulled out just isn't worth the benefit. I would use ElevateDB's built in encryption and engine signature, build in functionality that requires users to alter passwords monthly, delete the built in Administrator account and leave it at that. Bear in mind that anyone who has the skills to hack sql resident in memory before its transferred to the server is liable to have the skills to have the server itself and just grab the tables. <rant off> Roy Lambert |
Wed, Feb 23 2011 4:39 AM | Permanent Link |
Charalampos Michael | Dear Roy,
> Blocking access to LIKE would not prevent the scenario you just described. > > > <rant on> > > I work in an industry which is very datacentric - recruitment. The reason I started using Delphi (version 1) was to develop systems for myself initially and then for my staff as I got some. Initially I had a cheap printer hooked up to everyone's PC. I had to remove them because one individual was quietly printing out the whole database - one contact (= customer or potential customer) and one candidate at a time. > > I mention that because you can't stop people stealing the data the best you can do is make it difficult. At some point the cost of making it any more difficult in terms of time& money spent and hair pulled out just isn't worth the benefit. > > I would use ElevateDB's built in encryption and engine signature, build in functionality that requires users to alter passwords monthly, delete the built in Administrator account and leave it at that. > > Bear in mind that anyone who has the skills to hack sql resident in memory before its transferred to the server is liable to have the skills to have the server itself and just grab the tables. > <rant off> > > Roy Lambert I guess you forgot that the end-user will connect to a EDB Server and it will not have access to a physical database file. So, the only way to steal other or all data is to alter SQL statements. -- Charalampos Michael - [Creation Power] - http://www.creationpower.gr |
Wed, Feb 23 2011 4:50 AM | Permanent Link |
Roy Lambert NLH Associates Team Elevate | Charalampos
>I guess you forgot that the end-user will connect to a EDB Server and >it will not have access to a physical database file. Not at all. I just assume anyone with the capability of hacking sql statements in memory ("Well, everything can be cracked if it's loaded into memory.") will be able to hack a remote server. Remember its not the EDBServer they'd hack its the actual server machine. >So, the only way to steal other or all data is to alter SQL statements. Tell me how much the data is likely to be worth. If its enough I'll give you a number of approaches Years ago a company I was dealing with were supplying GCHQ (UK secret service hq) with VDUs. They had to be built into a mesh cage so that radio emissions from them couldn't be picked up and decoded remotely. Roy Lambert |
Wed, Feb 23 2011 3:18 PM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Michael,
<< Now, if someone hack this SQL and Delete's WHERE it will give him access to all the Data on the table, right ? That's what i want to prevent! >> If that's what you want to prevent, then the only way to do so is to have your application only use views/stored procedures for data retrieval, and to not give any user SELECT (read) access on any table, rather only give them SELECT (read) access to the desired views or EXECUTE access to the desired stored procedures. -- Tim Young Elevate Software www.elevatesoft.com |
« Previous Page | Page 3 of 3 | |
Jump to Page: 1 2 3 |
This web page was last updated on Tuesday, May 7, 2024 at 06:25 PM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |