Re: Modifying SQL query for security?? What is your opinion?

From: Edward Barlow <sqltech_at_tiac.net>
Date: 1996/11/18
Message-ID: <56t1qs$s1o_at_news-central.tiac.net>#1/1

>Sandor Laza wrote:

>> I company prepared a security study for us in which they
>> advised not to use trusted RDBMS systems (like trusted Oracle
>> or Trusted Ingres), but develop an application which capture all the
>> SQL querys sent to the server modify them according several security
>> rules ...

What is your goal here? Do you wish to hide the DBMS implementation? Prohibit direct access to the server? Audit queries being sent to your server? Hide the actual data being transfered? Hide passwords? Remember that if your network is TCP/IP, most of what is sent to your middleware is readable unless that middleware lives on the client itself. If you put your middleware on the network you gain little security of any sort.

There are several approaches that you could take - and it really depends on what you want to protect. In sybase, most good application designs would involve use of stored procedures - how would you modify a proc like "add_object _at_id=25, @price=55" to add to your "security". The id and price are visible on the lan and the queries objective is pretty obvious.

The best approaches to sybase security that i have seen involve some "security applet" that handles appropriate permissioning and encryption and forces access from predefined applications. You set it up so only your application that had access to the add_object proc.

Good luck
Ed
sqltech_at_tiac.net
http://www.tiac.net/users/sqltech Received on Mon Nov 18 1996 - 00:00:00 CET

This message: [ Message body ]
Next message: Maureen T. English: "Novell 3.12/ Oracle unload script?"
In reply to Sandor Laza: "Modifying SQL query for security?? What is your opinion?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message