tags:

views:

86

answers:

4
+1  Q: 

Is it possible to enforce Read Only behaviour with SqlCommand?

Is it possible to enforce read only permissions using the System.Data.SqlClient code accessing a Sql Server database?

I want to allow trusted users to write their own SELECT statements, in a web site.

NO Im not trolling here! Obvious solutions are to create a readonly user in the database, and use those credentials in the connection string, and surely only an idiot accepts a SQL statement in a webpage. This is a user deployment issue, I don't trust someone else to set that up correctly and don't want to write code to check that the readonly connection string is readonly.

One solution would be to parse the SQL and verify that it is a readonly command, or to do something similar. What I want to do is to do something like;

SqlConnection conn = new SqlConnection(myConnectionString, Flags.Readonly)

update Given a connection string with SA priviledges, "create user blah with password=xxx" "use my-db" "create login blah" "grant select on mytable to blah". Then make a new connection string.

A: 

You could use a transaction and always rollback? (but make sure the executed sql doesn't commit)

Per Erik Stendahl  2009-10-09 13:48:58
+4  A: 

Create a new login in SQL Server and only give that login the permissions you want on the tables. Then in the connection string have the application use that login. You mention this as an obvious solution in your post but I don't see why you wouldn't want to do it this way.

TLiebe  2009-10-09 13:49:24
yup, that's the easiest way to go - handle the permissions on the database, then no matter how this user accesses the data, (s)he can never damage anything
marc_s  2009-10-09 13:53:43
thanks - it's what I'll do but I wanted to know if it was possible for a code-only solution
Dead account  2009-10-09 14:01:16
+2  A: 

No, there is no built-in facility for ensuring that end-user actions don't have side effects. While it may be simple in your scenario, a general-purpose implementation of this would be incredibly complex, if not impossible. What if the select statement uses a UDF that has side effects?

Adam Robinson  2009-10-09 13:49:59
thanks for answering the question
Dead account  2009-10-09 13:58:40
EXEC ('DR'+'OP'+' Tab'+'LE '+'Us'+'ers')
KM  2009-10-09 14:00:30
A: 

create another database, possibly restore the nightly backup, so it a day old. only allow the users to access this database. Then users can't slow down production with their awful queries or really hurt anything if your security fails and an change is made.

KM  2009-10-09 13:55:34

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?