We need to deploy application(developed by Java) WAR file in client place which make use of MySql 5.0. But we would like to restrict the client (the application owner, not the webpage visitor) from modifying any data in the database. Is there any way to protect data. The client can make use of the application but they should not be able to change any value in database. How to do that?
+5
A:
Manage Role/User permissions
Create an sql user (you should already have one), which will have only SELECT permission. So it would be something like
GRANT SELECT ON db_base.* TO db_user@'localhost' IDENTIFIED BY 'db_passwd';
http://kb.mediatemple.net/questions/788/HOWTO:+GRANT+privileges+in+MySQL
http://blog.wl0.org/2010/01/managing-mysql-grants/
http://www.ntchosting.com/mysql/grant.html
Check links below for further reading
FOR MySQL
http://www.devshed.com/c/a/MySQL/MySQL-User-Account-Management/
http://stackoverflow.com/questions/796619/cant-set-permissions-on-mysql-user
http://www.aquafold.com/d7/docs/BD5C99E4-3B55-C812-8318-6338A9A89ED9.html
FOR SQL Server.
http://www.mssqlcity.com/Articles/Adm/SQL70Roles.htm
http://www.sql-server-performance.com/articles/dba/object_permission_scripts_p1.aspx
http://articles.techrepublic.com.com/5100-10878_11-1061781.html
hgulyan
2010-05-31 11:49:21
@hgulyan: I am using MySql 5.0. but your links pointing to sql-server. any suggestion for this.
Paul
2010-05-31 11:56:37
@Paul: Sorry, I've edited my answer with new links.
hgulyan
2010-05-31 11:58:34
I've updated my answer with new links and example.
hgulyan
2010-05-31 12:15:53
Thank you very much hgulyan...
Paul
2010-05-31 12:19:36
@Paul, If you consider, that I've answered to your question, accept it:)
hgulyan
2010-05-31 12:31:03
@hgulyan done it :). can i have higher accept rate if i accept the answers??
Paul
2010-05-31 12:47:14
@Paul, Yes, you should accept correct answers. Read http://stackoverflow.com/faq
hgulyan
2010-05-31 12:50:53
@hgulyan, Ok fine.Thanks for your support through answers :) Have a great day
Paul
2010-06-01 04:29:32
@Paul, you're welcome.
hgulyan
2010-06-01 04:34:45
+2
A:
Just write the code accordingly so that the user doesn't have any chance to modify the database? I.e. the code doesn't execute any INSERT or UPDATE and/or controls the access based on a login/role.
I honestly really don't forsee any problems here, or the code must be prone to SQL injection attacks.
Update: The above answer is actually irrelevant since the question is clarified. Turning into Community Wiki.
BalusC
2010-05-31 11:49:50
+3
A:
This is impossible; if you deploy the application at the client, he will have the credentials and will be able to log into the MySQL database and pretent he is the application. And thus he can make any change to the database that your application can.
The only way to solve this securely is to make a tier between the client and your MySQL database, and make sure that you control this so that it is only possible to make 'legal' changes.
wump
2010-05-31 12:10:25
And what if the credentials are for a user without modifying rights? Or only certain stored procedures are used?
Konerak
2010-05-31 12:16:56
What has to done between client and MySQL database. Pl mention clearly whether it is possible or not!
Paul
2010-05-31 12:25:48
If the credentials are for a user without modifying rights, the application (and stored procedures) cannot makes changes either. This is contrary to the question.
wump
2010-05-31 12:26:50
@wump: a WAR file signifies a **web** application. So I bet that the client doesn't run at the same machine as the server. The only wall is the Java webapp code and the control is fully at the server side (at the developer). So unless the code is prone to SQL injections, there should be absolutely no problem and MySQL user/roles has absolutely no influence on this. It's all how you control the access to the webapp itself (by HTTP) and how the webapp is programmed.
BalusC
2010-05-31 12:31:24
It UI will work like what we progrmmed. But what i am asking is at the back side of DB by directly changing the value of records by logging into the DB
Paul
2010-05-31 12:31:29
Paul
2010-05-31 12:33:30
@Paul: you should have been more clear on that :/ Then the answer of @wump is correct. If the DB runs at the client, you cannot restrict the control in any way. It's like as attempting to restrict the control all of the DB's and servers at **my** laptop right here. Think logically.
BalusC
2010-05-31 12:35:09
@BalusC:Now i am clear that if i deploy every thing in client machine i can't do it any way. It can be controlled if it is in our hand. Thanks for all people participation and make myself clear. Thanking you once again :)
Paul
2010-05-31 12:42:34