Re: Modifying SQL query for security?? What is your opinion?

From: H.S. Prasad 4-8398 <hprasad>
Date: 1996/11/20
Message-ID: <56utbf$ikp_at_hardcopy.ny.jpmorgan.com>#1/1

This can also lead to very serious performance problems. That is the reason there are Stored procedures and Views (to have a better handle on security). This looks more like an open server project which can be accomplished otherwise.

-Prasad

cpcohen_at_inforamp.net (Charles P. Cohen) wrote:
>Sandor Laza <slaza_at_worldonline.nl> wrote:
>
>>I company prepared a security study for us in which they
>>advised not to use trusted RDBMS systems (like trusted Oracle
>>or Trusted Ingres), but develop an application which capture all the
>>SQL querys sent to the server modify them according several security
>>rules (for example extend the where clouse somehow) and pass the
>>modified query to the RDBMS engine.
>
>
>>Have you ever seen or heard about this kind of solution implemented?
>>What do you think, it is feasible?

>>My personal opinion is, that it can be implemented, but the
>>implementation means at least the reimplementation of the SQL
>>interpreter of the given RDBMS. Or not?
>
>I see some problems:
>
> 1) Your application structure will be corrupted
> by having to send every query through a "security process".
> The standard call-libraries will have to be changed, you
> won't be able to use the normal 4GL's, etc.
>
> 2) Whenever anything goes wrong, your vendor will say:
> "You're doing _what_????"
>
> 3) The consultant is suggesting that a "home-grown" solution
> will be better than one offered, _and supported_, by the DBMS
> vendor. This is not likely to be true.
>
>You'd have to re-implement the SQL _parser_, not the whole interpreter
>-- that is, you wouldn't have to _execute_ any of the queries, just
>understand and modify them.
>
>Is your application worth this much worry about security? Did the
>consultant find specific problems with the Ingres or Oracle security
>systems? Does his proposal _really_ avoid those problems?
>
>

-- 
/***********************************************************************/
H.S. Prasad                                     Standard Disclaimer
Email: prasad_hs_at_jpmorgan.com
Phone: (302)634-8398
Fax  : (302)634-8563
/***********************************************************************/

Received on Wed Nov 20 1996 - 00:00:00 CET

This message: [ Message body ]
Next message: Roger Books: "Re: Modifying SQL query for security?? What is your opinion?"
Previous message: Don Granaman: "Re: Why assign a size to a tablespace ?"
Maybe in reply to: Sandor Laza: "Modifying SQL query for security?? What is your opinion?"
In reply to Charles P. Cohen: "Re: Modifying SQL query for security?? What is your opinion?"
Next in thread: Roger Books: "Re: Modifying SQL query for security?? What is your opinion?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message