Security problem im edit SQL
I found a serious security, SQL Edit it allows the insertion of a delete
command, example: delete from user where name like ....
It returns an error message that the command did not work since, but he
still runs. For the end user can edit reports is a party.
Need to block out that these words were typed in the editor DELETE INSERT
UPDATE.
thanks
command, example: delete from user where name like ....
It returns an error message that the command did not work since, but he
still runs. For the end user can edit reports is a party.
Need to block out that these words were typed in the editor DELETE INSERT
UPDATE.
thanks
This discussion has been closed.
Comments
One option for implementing that type of security is to leverage the
security features provided the database. Most database products enabled user
and security roles to be defined.
Another option is to customize the DADE plug-in you are using. For example
if you are using ADO, you can modify daADO.pas, the method
TdaADOQueryDataView.SQLChanged, to scan the SQL string and raise an
exception.
RB does not implement database command level security. There is only an
option for DatabaseSettings.AllowEditSQL. When that option is set to True,
the user can specify any SQL command.
--
Nard Moseley
Digital Metaphors
www.digital-metaphors.com
Best regards,
Nard Moseley
Digital Metaphors
www.digital-metaphors.com