June 12, 2008 at 9:21 am
bots are inserting malicious script into my database tables, in every varchar or text column
they are doing it becoz of some leaky asp scripts
now i want to create a login especially for asp pages, with a view only rights, without any update,delete or insert permission
i creating a login using sql 2005 env with db_reader permission, its not working
i cannot execute procedures or any sql statements, what extra i need to do, to make it work
<a href="http://www.websolsoftware.com"> For IT jobs click here</a>
*Sukhoi*[font="Arial Narrow"][/font]
June 12, 2008 at 10:08 pm
If you want to view data, in the database, adding the user to db_datareader will allow SELECT to run against tables and views. It will not permit EXECUTE for stored procedures.
If you database is in 90 compatibility mode (meaning SQL Server 2005), you can grant EXECUTE at the database or the schema level. It is recommended you do so at the schema. So if all of your objects are in the dbo schema, you would do the following:
GRANT EXECUTE ON SCHEMA::dbo TO Username
Keep in mind, though, that if your stored procedures modify data, they can now be executed. If the stored procedures were built using an ownership chaining model, that means they can modify data even if the user doesn't have INSERT, UPDATE, or DELETE rights against the base tables. That's actually the idea behind ownership chaining.
K. Brian Kelley
@kbriankelley
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply