Re: Modifying SQL query for security?? What is your opinion?
Date: 1996/11/19
Message-ID: <56sbg2$63t_at_gcsin3.geccs.gecm.com>#1/1
Sandor Laza <slaza_at_worldonline.nl> wrote:
>Hi guys,
>
>I need some advice:
>
>I company prepared a security study for us in which they
>advised not to use trusted RDBMS systems (like trusted Oracle
>or Trusted Ingres), but develop an application which capture all the
>SQL querys sent to the server modify them according several security
>rules (for example extend the where clouse somehow) and pass the
>modified query to the RDBMS engine.
Frankly this sounds like a pretty naive suggestion to me. It is error prone and costly to implement.
However, you don't say anything about what level of security you really need. If you need security to "government top secret" levels then I suggest that you get a firm of security specialists on board and leave it up to them.
If you need security to the level where users can't fiddle then preventing all access other than through the application may be sufficient.
Regards,
Bruce Horrocks
EASAMS Limited (...but speaking for myself) Waters Edge, Riverside Way, Watchmoor Park, Camberley, Surrey, GU15 3PD, UK Tel: +44 1276 686777 Tel: +44 1276 693081 (direct) Fax: +44 1276 686623 X400: S=HORROCKS,G=BRUCE,I=B,O=EASAMS LTD,P=GEC MARCONI,A=ATTMAIL,C=GB Mailto:Bruce.Horrocks_at_gecm.com
Received on Tue Nov 19 1996 - 00:00:00 CET