Re: Client/Server Security

From: Joseph Testa <jtesta_at_freenet.columbus.oh.us>
Date: 1996/10/30
Message-ID: <5584td$7o0_at_login.freenet.columbus.oh.us>#1/1


Ray Dowling (rdowling_at_b022.aone.net.au) wrote: <snip>
: Some users will have access to HP-UX to perform other functionality and
: hence access to SQLPLUS. They may then CONNECT as the granted user and
: perform the data base functions allowed (by the roles).
: OR any ODBC front-end software (eg Excel, Access) will allow updates to
: the data base (thereby bypassing the Developer Form validation) using
: the username and roles provided.

let me tell u how we are handling it. we allow no one access to the database except via the applications we write. We wish we could enforce this but we usually can't. SO what we have done is using the dbms_application package(the set_client_info procedure) all of our apps will put a code in there so that all update/insert/deletes on all tables for the application(all tables already have a database trigger) when it is fires(the trigger) there is code that extracts from the get_client_info procedure the stored value and compares it against a table of valid values(if it matches ie: a registered application) it continues on if it doesn't then we blow out the app with an raise_application_error.  Not sure if this will work for you, hope that helps some, joe

-- 
Joseph S. Testa, Database Administrator, Ohio EPA
  N8XCT, Emergency Coordinator (EC) & Local Govt Liaison (LGL)
  Pickaway County, OH and Official Relay Station (ORS), message content
  are MY views and NOT my current employer.
Received on Wed Oct 30 1996 - 00:00:00 CET

Original text of this message