tags:

views:

37

answers:

3
+2  Q: 

improve security at "database layer" - only select queries allow

I am building a application in silverlight which will enable users read information about their payment. Their login and password will be save in table in db.

It is possibility to improve security in my app by limiting what data a query has access to? For instance i want to prevent a user from selecting data they do not own. A limitation is that my application is using a its own table for users, so i cannot use GRANT PERMISSION :/. I am using Linq to build my sql queries.

This question is from my teacher who "suggest" me to improve security, so if it's impossible - it's no big deal ;)

+3  A: 

Well, it is kind of a vague question you've asked, but I'll hazard a stab at it.

You must be doing some authentication on the user's identity to only be showing them their payment, as opposed to someone else's payment. So, if you can do that, you should be able to create triggers that disallow any insert, updates, or deletes on your tables from those same identities... I don't think this is a very robust or scalable solution, but it's an idea. 

CREATE TRIGGER [x] ON [TABLE] FOR INSERT

/* Disallow Users to insert */
IF EXISTS( SELECT 1 1 FROM [Users] WHERE [Users].UserID = [Y])
--Rollback transaction, set error, etc

Do you have any more details? Anything else could be helpful in finding a better solution.

davecoulter  2010-03-10 00:20:01
I dont know too much about trigger, but You code T-SQL code execute on every of my table will block everybody from insert in table? Rollback is roll table to state before, but if user cant do nothing what sense of rollback ? Maybe better is alert "You do not have perrmition" ? About authentication, I will ask new question about use certificate to login user which I want implement...
netmajor  2010-03-10 00:53:09
+1  A: 

A fine tuned access control for database resources is a very uncommon method of securing your application. User level access control is best implanted by the application. The sql user account used by the application should be as restricted as possible. For instance it should only be able to use the database(s) it needs to function, and nothing more.

There is 1, and only 1 project that has fine grained access control for a sql database, and that project is SE-PostgreSQL.

"It can provide fine grained mandatory access control to various database objects such as tables, columns or tuples and can apply consistent authority of remote/local client integrated with operation system independent from database authorization."

Rook  2010-03-10 03:04:32
Very thx for reply The Rook! I search for connection string I using to connect to SQL server and find out that it could include db user id(i don't know that before and log with admin privileges :/ ) Now i use this way for security for my database layer :) I see about SE-PostgreSQL and it look ideal for my problem but unfortunately it's support only Postgre :/
netmajor  2010-03-10 03:33:11
A: 

Create a view named 'MyPayments', on the 'Payments' table. Make sure you have a WHERE clause in the view definition, so that the view returns only the relevant data to each user. Here is what the WHERE clause of your view will look like:

WHERE PaymentOwner = SUSER_SNAME()

The SUSER_SNAME() system function returns the currently logged in user's login name. If the first user logs in with the login name 'User1' and inserts a row, his/her login name is stored along with the row. The SUSER_SNAME() function in the WHERE clause of the view definition makes sure 'User1' see only those rows that have the 'PaymentOwner' column set to 'User1'.

More here

Andrew Strong  2010-03-10 03:37:29

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?