One solution would be to modify the DADE plug-in to allow only Select statements. For example, if you are using ADO, modify daADO.pas, the method TdaADOQueryDataView.SQLChanged.
Example:
lsSQLText := SQL.MagicSQLText;
if Pos('SELECT', UpperCase(lsSQLText)) = 0 then raise EDataError.Create('TdaADOQueryDataView.SQLChanged: SQL SELECT not specified');
FQuery.SQL.Assign(lsSQLText );
..or code it like this..
if Pos('DROP', UpperCase(lsSQLText)) > 0 then raise EDataError.Create('TdaADOQueryDataView.SQLChanged: SQL DROP not allowed');
if Pos('DELETE', UpperCase(lsSQLText)) > 0 then raise EDataError.Create('TdaADOQueryDataView.SQLChanged: SQL DELETE not allowed');
if Pos('INSERT', UpperCase(lsSQLText)) > 0 then raise EDataError.Create('TdaADOQueryDataView.SQLChanged: SQL INSERT not allowed');
FQuery.SQL.Assign(lsSQLText );
-- Nard Moseley Digital Metaphors www.digital-metaphors.com
Best regards,
Nard Moseley Digital Metaphors www.digital-metaphors.com
Nard Would that mean that each time we upgrade we have to re-do this? Have you guys thought of this before and stopping it ? We were security tested recently and the testers managed to do some real damage that did not give us or ReportBuilder any good press
Thanks for the quick reply. Will have to use the block editing of the SQL for now as thats where the problem was. Trouble is thats useful for report writers.
When is the next release that this may be included in or failing that could you provide a patch in advance? Happy to test it for you. As you can imagine this raised some eyebrows recently.
I recommend modifying the source code to the relevant DADE plug-in (see my first response to this thread). My intent was for you to try implementing that code as a solution to your issue.
-- Nard Moseley Digital Metaphors www.digital-metaphors.com
Best regards,
Nard Moseley Digital Metaphors www.digital-metaphors.com
Comments
One solution would be to modify the DADE plug-in to allow only Select
statements. For example, if you are using ADO, modify daADO.pas, the method
TdaADOQueryDataView.SQLChanged.
Example:
lsSQLText := SQL.MagicSQLText;
if Pos('SELECT', UpperCase(lsSQLText)) = 0 then
raise EDataError.Create('TdaADOQueryDataView.SQLChanged: SQL SELECT not
specified');
FQuery.SQL.Assign(lsSQLText );
..or code it like this..
if Pos('DROP', UpperCase(lsSQLText)) > 0 then
raise EDataError.Create('TdaADOQueryDataView.SQLChanged: SQL DROP not
allowed');
if Pos('DELETE', UpperCase(lsSQLText)) > 0 then
raise EDataError.Create('TdaADOQueryDataView.SQLChanged: SQL DELETE not
allowed');
if Pos('INSERT', UpperCase(lsSQLText)) > 0 then
raise EDataError.Create('TdaADOQueryDataView.SQLChanged: SQL INSERT not
allowed');
FQuery.SQL.Assign(lsSQLText );
--
Nard Moseley
Digital Metaphors
www.digital-metaphors.com
Best regards,
Nard Moseley
Digital Metaphors
www.digital-metaphors.com
Would that mean that each time we upgrade we have to re-do this? Have you
guys thought of this before and stopping it ? We were security tested
recently and the testers managed to do some real damage that did not give us
or ReportBuilder any good press
Cheers
Mark
Thanks for the feedback.
- This is something we can add for the next major release.
- For tighter security you can optionally set
Designer.DataSettings.AllowEditSQL to False
Designer.AllowDataSettingsChange to False
- and you can use the RB DataDictionary to limit which tables and fields the
are displayed by the query wizard and query designer.
--
Nard Moseley
Digital Metaphors
www.digital-metaphors.com
Best regards,
Nard Moseley
Digital Metaphors
www.digital-metaphors.com
Thanks for the quick reply. Will have to use the block editing of the SQL
for now as thats where the problem was. Trouble is thats useful for report
writers.
When is the next release that this may be included in or failing that could
you provide a patch in advance? Happy to test it for you. As you can imagine
this raised some eyebrows recently.
Cheers
Mark
I recommend modifying the source code to the relevant DADE plug-in (see my
first response to this thread). My intent was for you to try implementing
that code as a solution to your issue.
--
Nard Moseley
Digital Metaphors
www.digital-metaphors.com
Best regards,
Nard Moseley
Digital Metaphors
www.digital-metaphors.com