Hello,
I'm starting the development of a new software that must be compliant to SQL Server (2005 and above), Oracle (10r2 and above) and Sybase (12.5 and above). I'm planning on implementing the database abstraction using stored procedures, so I can use more performatic code implementing database specific approaches for each case. I plan to deny access to all table information, including data read, and allow access to information only through stored procedures. The problem is that when I grant the EXECUTE permission on a Stored Procedure that will be used to INSERT, if the user connects to the database through SSMS or SQL Plus, he will be able to add data by calling the procedure directly, and I would like to prevent that. I would like that the data manipulation through stored procedures be executed only through my application. I could give separate logins for my application and the users, but I want to have the possibility of my application connecting to the database through NT authentication, using the user's credential. Is there a way to do this?
Is there a better way to achieve what I'm trying to achieve?
Thanks
views:
29answers:
1
A:
You could embed a UUID in your application and have the stored procedure require it before it will write data into the DB.
ChrisBD
2009-10-08 13:35:43
That was my possible solution. I wrote the question to see if there's another way to do it, or if what I want to do is actually correct, or indeed a best-practice. Thanks for your answer
Pascal
2009-10-08 14:09:41