Re: Modifying SQL query for security?? What is your opinion?

Sandor Laza wrote:
> I company prepared a security study for us in which they
> advised not to use trusted RDBMS systems (like trusted Oracle
> or Trusted Ingres), but develop an application which capture all the
> SQL querys sent to the server modify them according several security
> rules ...
>
> Sandor Laza
> Security officer
>
> OPCW
> Tel: 31-70 3761700
> Fax: 31-70 3600944
> E-Mail: sandor.laza_at_opcw.nl or slaza_at_worldonline.nl

I don't know about the trustworthyness of vendor implementations but given the money they spend to do such stuff I'd rather at least *start* with their efforts...I'd be nervous about the alternative you describe both for its scope to implement (as you note) *and* sustaining it with the porting/testing that might be required in new releases.

As an alternative, you might consider implementing control by limiting access to views only, and try to codify some of your rules in the view WHERE clause. If updating is involved, read about the view WITH CHECK OPTION clause also.

This should all be standard, off-the-shelf SQL.

If Oracle is your "poison", you might also be able to code an access control procedure in PL/SQL that embodies your security rules and include a call to it as part of the view WHERE clause to achieve some of what you seek without the complexity...it gets you into some proprietary stuff but possibly in a more managable way...

HTH...BJ

-- 
Barry Johnson  -  BJohnson_at_WorldBank.Org  -  ph. (202)458-0585