How to deny sysobjects and syscolumns access via SQL 2005 GUI ?

  • With all the SQL injection attacks going around, I would like to deny the user my web app runs under access to sysobjects and syscolumns. I found a blog explaining how to do it via the SQL 2000 GUI, but can't find any info on how to do it via the SQL 2005 GUI.

  • Go to Database user-->Right Click-->Properties-->Left side(Click on Securables)-->Click Add..All Objects of the type-->Under Select the types of objects to find(choose Views Click OK)-->Select your sys.sysobjects and ... And in down screen check Deny-->OK.

    HTH

    MJ

  • Fantastic, thank you!

  • well, ok, but I hope you don't think this will protect you from sql injection!

    🙂

    ---------------------------------------
    elsasoft.org

  • Rather ensure that your web app is using only stored procedures, calls them using parameters and that the web user has no rights to any of the base tables. That means no ad-hoc SQL, no dynamic SQL.

    That will protect you against SQL injection.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply