September 1, 2011 at 7:09 am
awp (9/1/2011)
the web application contains fair amount of controls as you suggested, but I guess having a control on the DB gives additional security, for example, in the case of someone hacking the application.
This is where you have to make sure that there is no direct access to tables for any user. 🙂 If you can get all access from web application to DB through stored procs, then you do not need to give any direct permission to the tables. That means even if someone hacks your web server (Application) they cannot run any select, update, insert or delete statements.
-Roy
September 1, 2011 at 8:05 am
Roy is completely correct. Most of the high profile stories on the Internet take place through SQL injection, which mostly works because developers don't use stored procedures. They think writing the query inline is somehow faster.
If you have control over the front end code, use stored procedures and don't give any rights to tables.
September 1, 2011 at 9:49 am
You guys are absolutely right, that would be the best way to do it, I develop the front end as well but wasn't involved in the beginning; since I took over I have used most of the time Stored procedures, however the app still contains loads of inline queries, so it will be not an easy task to convert them all - but something to take on board for future developments.
Thank you guys.
Viewing 3 posts - 16 through 17 (of 17 total)
You must be logged in to reply to this topic. Login to reply