I am told that usage of SP_OACreate , SP_OAMethod in SQL Server 2000 is of a security risk.
I am using Strong Name in the assembly and is stored in GAC on the SQL Server Machine.
What are the security implications/compromise ?
A:
Not sure what your attempting but for SQL 2000 you should read Using extended stored procedures or SP_OA stored procedures to load CLR in SQL Server is not supported.
The risk is that you must grant EXECUTE permission on SP_OACreate to the user.
This means that if they subsequently found a way to execute arbitrary SQL they could create instances of any library available on the server.
Another issue is that SP_OACreate loads the library in-process, so if it bombs, so does your server.
Alex K.
2010-04-23 12:46:11
I am parsing sql string stored as ntext within given table and returning result as row set (Client expect the result in a data table).PS:Execute permissions has to be granted for any user who requires to execute them..Only difference I can see is that we have to set Execute permission to SP_OACreate etc explicitly..
TonyP
2010-04-23 14:12:30