Re: Security problem

I don't think that at the serverside Oracle can reliably detect what client program is sending a command, so this can be no basis for a security scheme. What I think you should do:

• refuse any DML on the tables for end users
• write stored procedures which perform the tasks you want performed, under an DML-authorised user
• let those stored procedures have a secret IN-parameter
• execute the stored procedures from within the client software, using the secret parameter
• give execute rights on those stored procedures to the end users

In this way end users can use the client software, but cannot themselves use DML on the tables directly.
Maybe using stored procedures is already enough security and there is no need for a secret parameter.

Jaap.

Sex_appeal heeft geschreven in bericht <87e9ri$kos$1_at_lola.ctv.es>...
>Hi,
>¿How can I avoid the user uses any application to access the database
>instead my application?
>I have some row level security tables, and I don't want to use views
>(performance reasons), so I have to improve security at application
>level, but If the users access the database with any other application
>(like SQL explorer), they could get any information within the table.
>¿Is there any way to avoid it?
>
>Thanks!
>
>
Received on Fri Feb 04 2000 - 06:27:00 CST