Home End User
New Blog Posts: Merging Reports - Part 1 and Part 2

Stopping SQL

edited November 2007 in End User
Chaps

Can you verify this. It seems that a user has established that he can write
SQL code using End User to run code like DROP table, DELETE, INSERTS etc.

Thats bad news for us, is this right if so are you aware and how do we stop
it.

Thanks

Mark

Comments

  • edited November 2007

    One solution would be to modify the DADE plug-in to allow only Select
    statements. For example, if you are using ADO, modify daADO.pas, the method
    TdaADOQueryDataView.SQLChanged.

    Example:

    lsSQLText := SQL.MagicSQLText;

    if Pos('SELECT', UpperCase(lsSQLText)) = 0 then
    raise EDataError.Create('TdaADOQueryDataView.SQLChanged: SQL SELECT not
    specified');

    FQuery.SQL.Assign(lsSQLText );

    ..or code it like this..

    if Pos('DROP', UpperCase(lsSQLText)) > 0 then
    raise EDataError.Create('TdaADOQueryDataView.SQLChanged: SQL DROP not
    allowed');

    if Pos('DELETE', UpperCase(lsSQLText)) > 0 then
    raise EDataError.Create('TdaADOQueryDataView.SQLChanged: SQL DELETE not
    allowed');

    if Pos('INSERT', UpperCase(lsSQLText)) > 0 then
    raise EDataError.Create('TdaADOQueryDataView.SQLChanged: SQL INSERT not
    allowed');



    FQuery.SQL.Assign(lsSQLText );





    --
    Nard Moseley
    Digital Metaphors
    www.digital-metaphors.com

    Best regards,

    Nard Moseley
    Digital Metaphors
    www.digital-metaphors.com
  • edited November 2007
    Nard
    Would that mean that each time we upgrade we have to re-do this? Have you
    guys thought of this before and stopping it ? We were security tested
    recently and the testers managed to do some real damage that did not give us
    or ReportBuilder any good press

    Cheers

    Mark

  • edited November 2007

    Thanks for the feedback.

    - This is something we can add for the next major release.

    - For tighter security you can optionally set

    Designer.DataSettings.AllowEditSQL to False
    Designer.AllowDataSettingsChange to False

    - and you can use the RB DataDictionary to limit which tables and fields the
    are displayed by the query wizard and query designer.


    --
    Nard Moseley
    Digital Metaphors
    www.digital-metaphors.com

    Best regards,

    Nard Moseley
    Digital Metaphors
    www.digital-metaphors.com
  • edited November 2007
    Nard

    Thanks for the quick reply. Will have to use the block editing of the SQL
    for now as thats where the problem was. Trouble is thats useful for report
    writers.

    When is the next release that this may be included in or failing that could
    you provide a patch in advance? Happy to test it for you. As you can imagine
    this raised some eyebrows recently.

    Cheers

    Mark

  • edited November 2007

    I recommend modifying the source code to the relevant DADE plug-in (see my
    first response to this thread). My intent was for you to try implementing
    that code as a solution to your issue.


    --
    Nard Moseley
    Digital Metaphors
    www.digital-metaphors.com

    Best regards,

    Nard Moseley
    Digital Metaphors
    www.digital-metaphors.com
This discussion has been closed.