Re: View updating in practice?

From: Ed Prochak <edprochak_at_adelphia.net>
Date: Sun, 10 Nov 2002 20:50:02 GMT
Message-ID: <3DCEC92B.9090101_at_adelphia.net>

Alexander Kuznetsov wrote:
> Hi Jens,
>
> <I think>
> once upon a time, I had 1 yr experience in T-SQL and Sybase and
> considered myself quite an expert. Oops! I issued and UPDATE without
> WHERE clause againsht a beeeeeeg table in a production database.
>
> Updatable views you are speaking about are no more dangerous than
> standard ANSI compliant DML, as long as UPDATE/DELETE statements can
> run without WHERE clause.
>
> Since then I have dealt with more than 20 similar mishtakes made by
> other developers, so I've quite atoned for that error. I'm sick, sick,
> sick of it. Currently our middelware wont let thru a statement without
> WHERE clause.
>
> I'd say here is a very useful updateable view (anybody may deal with
> there own data only)
>
> CREATE VIEW MY_DATA
> AS
> SELECT * FROM ALL_DATA WHERE ENTERED_BY = CURRENT USER
>
> Funnelling all the OLTP threw this view would have prevened the
> disashter I was speakin about. Such views are very frequently used out
> here in the field.
> </I think>
>
> What do you think?

Possibly you have a false sense of security. Consider

DELETE FROM ALL_DATA
WHERE 1=1; So your middleware check reduces, but does not eliminate the danger.

Ed Received on Sun Nov 10 2002 - 21:50:02 CET

This message: [ Message body ]
Next message: Jan Hidders: "Re: Hotel Booking dates subquery"
Previous message: Jan Hidders: "Re: Hotel Booking dates subquery"
Maybe in reply to: Jens Lechtenbörger: "View updating in practice?"
In reply to Alexander Kuznetsov: "Re: View updating in practice?"
Next in thread: Jan Hidders: "Re: Hotel Booking dates subquery"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message