April 3, 2008 at 11:54 am
We have a User Interface front end where users are able to plug in their own SQL scripts to run against their series or orders and mailings to view certain aspects of their business dealings with their clients. However, this scripting area on the front end has massive security holes in it, as users who are capable enough will be able to drop, insert, update rows, when really all they need to do is SELECT statements.
Without altering any security on the DB, does anyone know of any good resources that will help us add to our tcl script that current parses the statement? (Currently all this is doing is checking for the correct number of parenthesis)
April 4, 2008 at 7:59 am
I don't know of any off the shelf components that would do this as I have never given users that kind of permission.
The first thing I would do is check for these words:
Delete
Truncate
Update
Insert
And not allow the query to go through.
Then I would evaluate using Reporting Services and Report Builder for user reporting. You can create the appropriate report models and then allow the users to create reports using the Report Builder.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
April 7, 2008 at 12:33 am
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply