September 3, 2008 at 8:51 pm
With all the SQL injection attacks going around, I would like to deny the user my web app runs under access to sysobjects and syscolumns. I found a blog explaining how to do it via the SQL 2000 GUI, but can't find any info on how to do it via the SQL 2005 GUI.
September 3, 2008 at 9:09 pm
Go to Database user-->Right Click-->Properties-->Left side(Click on Securables)-->Click Add..All Objects of the type-->Under Select the types of objects to find(choose Views Click OK)-->Select your sys.sysobjects and ... And in down screen check Deny-->OK.
HTH
MJ
September 3, 2008 at 10:10 pm
Fantastic, thank you!
September 3, 2008 at 11:58 pm
well, ok, but I hope you don't think this will protect you from sql injection!
🙂
---------------------------------------
elsasoft.org
September 4, 2008 at 2:04 am
Rather ensure that your web app is using only stored procedures, calls them using parameters and that the web user has no rights to any of the base tables. That means no ad-hoc SQL, no dynamic SQL.
That will protect you against SQL injection.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply