Re: Modifying SQL query for security?? What is your opinion?

Sandor Laza wrote:
>
> Hi guys,
>
> I need some advice:
>
> I company prepared a security study for us in which they
> advised not to use trusted RDBMS systems (like trusted Oracle
> or Trusted Ingres), but develop an application which capture all the
> SQL querys sent to the server modify them according several security
> rules (for example extend the where clouse somehow) and pass the
> modified query to the RDBMS engine.
>
> Have you ever seen or heard about this kind of solution implemented?
> What do you think, it is feasible?
>
> My personal opinion is, that it can be implemented, but the
> implementation means at least the reimplementation of the SQL
> interpreter of the given RDBMS. Or not?

If you're talking Sybase, it is a relatively simple matter to write a pass-through open server. This means that all programs would think they're referencing a Sybase server but would be going through your Open Server program instead. The Open Server would simply take any input given, parse and manipulate it (add your security stuff), pass it on to the real Sybase Server and then pass the results back. The interface for all programs remain the same. Isql would still work, ODBC connections, whatever. This is basically the kind of thing Sybase Open Server is ideal for.

Mike Received on Wed Nov 20 1996 - 00:00:00 CET