By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,665 Members | 1,912 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,665 IT Pros & Developers. It's quick & easy.

SQL server and ASP

P: n/a
MC
I'm trying to use ASP pages generated in Frontpage to update an SQL server
database. I can view information from the database but cannot update, I
just get a message saying an error has occured. I am not too worried about
security, I'd be happy with one login that has the rights to do anything in
the database, create, delete, etc So 2 questions:-

What's the easiest way of making a user account that has access to all db's
Where are the error logs for the ASP page attempting to update the DB
stored?
Thanks in advance!
Jul 19 '05 #1
Share this Question
Share on Google+
15 Replies


P: n/a
I suggest not letting FrontPage do this for you... spend an hour at an ASP
database tutorial and you will be much better off in the long run. There
are plenty of code snippets at different places, you could start here:
http://www.aspfaq.com/2183

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/


"MC" <maxcoppin@-don't-send-me-any-spam-btinternet.com> wrote in message
news:m87oc.72$sD1.38@newsfe6-win...
I'm trying to use ASP pages generated in Frontpage to update an SQL server
database. I can view information from the database but cannot update, I
just get a message saying an error has occured. I am not too worried about security, I'd be happy with one login that has the rights to do anything in the database, create, delete, etc So 2 questions:-

What's the easiest way of making a user account that has access to all db's Where are the error logs for the ASP page attempting to update the DB
stored?
Thanks in advance!

Jul 19 '05 #2

P: n/a
On Tue, 11 May 2004 17:26:13 +0100, "MC"
<maxcoppin@-don't-send-me-any-spam-btinternet.com> wrote:
I'm trying to use ASP pages generated in Frontpage to update an SQL server
database. I can view information from the database but cannot update, I
just get a message saying an error has occured. I am not too worried about
security, I'd be happy with one login that has the rights to do anything in
the database, create, delete, etc So 2 questions:-

What's the easiest way of making a user account that has access to all db's
Where are the error logs for the ASP page attempting to update the DB
stored?


1) You missed the alt.rocketscience group I believe...
2) This is irrelevant in five out of the six groups you hit, and you
missed an even better one.
3) You need to learn to post errors if you want solutions. Postr the
complete error message.

With all of that said, FrontPage isn't the best method for coding ASP,
and you may be running into any number of permission errors. If you
post the error, we can likely direct you to a solution, be it
FrontPage, ASP or SQL, or more likely, a Windows permission error of
some sort.

Jeff
Jul 19 '05 #3

P: n/a
MC
I'm using the code in one of my ASP pages now that was working with Access.
The error code is:-

-2147217900

I can perform Select and update but nut delete.

I took your advices and the profiler shows two "SQL@BatchCompleted events
occuring, one with the corrct syntax:-

DELETE * FROM hold WHERE ISBN='188477766X' AND Username='test'

and one with

select * from DELETE * FROM hold WHERE ISBN='188477766X' AND Username='test'

What is causing this? My asp code is below:-

Dim conn, rshold Set conn = Server.CreateObject("ADODB.Connection")
Set rshold = Server.CreateObject("ADODB.Recordset")
'---Opens the connection to the database---
conn.open "Provider=SQLOLEDB; Data Source = (local); Initial Catalog =
LibrarySQL; User Id = *****; Password=*****"
'---Retrieve the holds
sqlhold = "DELETE * FROM hold WHERE ISBN='" & Request.QueryString("ISBN") &
"' AND Username='" & Request.QueryString("Username") & "'"

On Error Resume Next
conn.Execute(sqlhold)
if err.number <> 0 then Response.Write "An error has occured"
Response.Write "Error code: " & err.number & "<br/>" response.Write sqlHold

else
Response.Write
"hold cancelled"
end if

"Jeff Cochran" <jc*************@naplesgov.com> wrote in message
news:40****************@msnews.microsoft.com...
On Tue, 11 May 2004 17:26:13 +0100, "MC"
<maxcoppin@-don't-send-me-any-spam-btinternet.com> wrote:
I'm trying to use ASP pages generated in Frontpage to update an SQL serverdatabase. I can view information from the database but cannot update, I
just get a message saying an error has occured. I am not too worried aboutsecurity, I'd be happy with one login that has the rights to do anything inthe database, create, delete, etc So 2 questions:-

What's the easiest way of making a user account that has access to all db'sWhere are the error logs for the ASP page attempting to update the DB
stored?


1) You missed the alt.rocketscience group I believe...
2) This is irrelevant in five out of the six groups you hit, and you
missed an even better one.
3) You need to learn to post errors if you want solutions. Postr the
complete error message.

With all of that said, FrontPage isn't the best method for coding ASP,
and you may be running into any number of permission errors. If you
post the error, we can likely direct you to a solution, be it
FrontPage, ASP or SQL, or more likely, a Windows permission error of
some sort.

Jeff

Jul 19 '05 #4

P: n/a
I like this line
Response.Write "Error code: " & err.number & "<br/>" response.Write sqlHold
very good idea.

A Delete statement doesn't use an asterisk (and most would tell you neither
does a Select) because it deletes the entire row, you can't delete just some
columns.

DELETE FROM hold WERE ISBN='188477766X" AND Username='test'

Is ISBN your primary key?

Looking at what you posted you don't use RSHold anywhere, so you may as well
get rid of it.

You should validate ALL data that comes from a client. You are inserting
into your SQL statement - straight out of the querystring. If some big
meanie changed the Querystring they could quickly wipe out your database.
I can't remember where it is, but I think Bob Barrows pointed it out to me,
about SQL Injection. I think it was www.sqlsecurity.com or something like
that.

I strongly recommend you follow Aaron's advice, and poke around aspfaq.com
and some of the other sites.

Tom B
"MC" <maxcoppin@-don't-send-me-any-spam-btinternet.com> wrote in message
news:aoaoc.8037$7S2.5938@newsfe1-win...
I'm using the code in one of my ASP pages now that was working with Access. The error code is:-

-2147217900

I can perform Select and update but nut delete.

I took your advices and the profiler shows two "SQL@BatchCompleted events
occuring, one with the corrct syntax:-

DELETE * FROM hold WHERE ISBN='188477766X' AND Username='test'

and one with

select * from DELETE * FROM hold WHERE ISBN='188477766X' AND Username='test'
What is causing this? My asp code is below:-

Dim conn, rshold Set conn = Server.CreateObject("ADODB.Connection")
Set rshold = Server.CreateObject("ADODB.Recordset")
'---Opens the connection to the database---
conn.open "Provider=SQLOLEDB; Data Source = (local); Initial Catalog =
LibrarySQL; User Id = *****; Password=*****"
'---Retrieve the holds
sqlhold = "DELETE * FROM hold WHERE ISBN='" & Request.QueryString("ISBN") & "' AND Username='" & Request.QueryString("Username") & "'"

On Error Resume Next
conn.Execute(sqlhold)
if err.number <> 0 then Response.Write "An error has occured"
Response.Write "Error code: " & err.number & "<br/>" response.Write sqlHold
else
Response.Write
"hold cancelled"
end if

"Jeff Cochran" <jc*************@naplesgov.com> wrote in message
news:40****************@msnews.microsoft.com...
On Tue, 11 May 2004 17:26:13 +0100, "MC"
<maxcoppin@-don't-send-me-any-spam-btinternet.com> wrote:
I'm trying to use ASP pages generated in Frontpage to update an SQL serverdatabase. I can view information from the database but cannot update, Ijust get a message saying an error has occured. I am not too worried aboutsecurity, I'd be happy with one login that has the rights to do
anything
inthe database, create, delete, etc So 2 questions:-

What's the easiest way of making a user account that has access to all db'sWhere are the error logs for the ASP page attempting to update the DB
stored?


1) You missed the alt.rocketscience group I believe...
2) This is irrelevant in five out of the six groups you hit, and you
missed an even better one.
3) You need to learn to post errors if you want solutions. Postr the
complete error message.

With all of that said, FrontPage isn't the best method for coding ASP,
and you may be running into any number of permission errors. If you
post the error, we can likely direct you to a solution, be it
FrontPage, ASP or SQL, or more likely, a Windows permission error of
some sort.

Jeff


Jul 19 '05 #5

P: n/a
Tom B wrote:
I like this line
Response.Write "Error code: " & err.number & "<br/>" response.Write
sqlHold very good idea.

A Delete statement doesn't use an asterisk (and most would tell you
neither does a Select) because it deletes the entire row, you can't
delete just some columns.


Given that the OP is using SQL Server, this statement is correct. However,
if he was using Jet, "delete * from ..." is a perfectly acceptable JetSQL
query, and in versions A97 and earlier was the required syntax.

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 19 '05 #6

P: n/a
Really? I didn't know that. Doesn't really make any sense though, does it?

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:OD**************@TK2MSFTNGP10.phx.gbl...
Tom B wrote:
I like this line
Response.Write "Error code: " & err.number & "<br/>" response.Write
sqlHold very good idea.

A Delete statement doesn't use an asterisk (and most would tell you
neither does a Select) because it deletes the entire row, you can't
delete just some columns.


Given that the OP is using SQL Server, this statement is correct. However,
if he was using Jet, "delete * from ..." is a perfectly acceptable JetSQL
query, and in versions A97 and earlier was the required syntax.

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Jul 19 '05 #7

P: n/a
I didn't say it made sense :-)

I used A95 and A97 for years before I started with SQL Server. You can
imagine how hard it was to get out of the habit of typing "DELETE * FROM
...."

The JetSQL syntax for multiple table delete and update statements is
different from T-SQL's. In JetSQL, you would do this to delete records from
table1 that have matching records in table2:

DELETE table1.* FROM table1 join table2 ON ...

So that's the reason the * is allowed in the statement: it allows you to
specify which table to delete the records from.
The equivalent T-SQL query would be:

DELETE FROM t1 FROM table1 t1 join table2 t2 ON ...

Bob Barrows

TomB wrote:
Really? I didn't know that. Doesn't really make any sense though,
does it?

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:OD**************@TK2MSFTNGP10.phx.gbl...
Tom B wrote:
I like this line
Response.Write "Error code: " & err.number & "<br/>" response.Write
sqlHold very good idea.

A Delete statement doesn't use an asterisk (and most would tell you
neither does a Select) because it deletes the entire row, you can't
delete just some columns.


Given that the OP is using SQL Server, this statement is correct.
However, if he was using Jet, "delete * from ..." is a perfectly
acceptable JetSQL query, and in versions A97 and earlier was the
required syntax.

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so
I don't check it very often. If you must reply off-line, then remove
the "NO SPAM"


--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 19 '05 #8

P: n/a
MC
Thanks for the help guys.

I've run SQL profiler and it appears to execute the delete statement AND the
same statement with a "SELECT * FROM" straight afterwards. I think it's a
permissions problem still. When using access I know the IUSR_SERVER user
account has to have the approptiate permissions on the access file but
what's the SQL equivalent?
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:Oj**************@tk2msftngp13.phx.gbl...
I didn't say it made sense :-)

I used A95 and A97 for years before I started with SQL Server. You can
imagine how hard it was to get out of the habit of typing "DELETE * FROM
..."

The JetSQL syntax for multiple table delete and update statements is
different from T-SQL's. In JetSQL, you would do this to delete records from table1 that have matching records in table2:

DELETE table1.* FROM table1 join table2 ON ...

So that's the reason the * is allowed in the statement: it allows you to
specify which table to delete the records from.
The equivalent T-SQL query would be:

DELETE FROM t1 FROM table1 t1 join table2 t2 ON ...

Bob Barrows

TomB wrote:
Really? I didn't know that. Doesn't really make any sense though,
does it?

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:OD**************@TK2MSFTNGP10.phx.gbl...
Tom B wrote:
I like this line
Response.Write "Error code: " & err.number & "<br/>" response.Write
sqlHold very good idea.

A Delete statement doesn't use an asterisk (and most would tell you
neither does a Select) because it deletes the entire row, you can't
delete just some columns.
Given that the OP is using SQL Server, this statement is correct.
However, if he was using Jet, "delete * from ..." is a perfectly
acceptable JetSQL query, and in versions A97 and earlier was the
required syntax.

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so
I don't check it very often. If you must reply off-line, then remove
the "NO SPAM"


--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Jul 19 '05 #9

P: n/a
What does your connection string look like? Are you using SQL
authentication (then you need to worry about the username you use in the
connection string), or Windows authentication (then you need to worry about
IUSR_WebServer *or* the authenticated user(s) if IIS is also forcing windows
auth).

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/


"MC" <maxcoppin@-don't-send-me-any-spam-btinternet.com> wrote in message
news:5gqoc.46$Et.38@newsfe6-win...
Thanks for the help guys.

I've run SQL profiler and it appears to execute the delete statement AND the same statement with a "SELECT * FROM" straight afterwards. I think it's a
permissions problem still. When using access I know the IUSR_SERVER user
account has to have the approptiate permissions on the access file but
what's the SQL equivalent?
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:Oj**************@tk2msftngp13.phx.gbl...
I didn't say it made sense :-)

I used A95 and A97 for years before I started with SQL Server. You can
imagine how hard it was to get out of the habit of typing "DELETE * FROM
..."

The JetSQL syntax for multiple table delete and update statements is
different from T-SQL's. In JetSQL, you would do this to delete records

from
table1 that have matching records in table2:

DELETE table1.* FROM table1 join table2 ON ...

So that's the reason the * is allowed in the statement: it allows you to
specify which table to delete the records from.
The equivalent T-SQL query would be:

DELETE FROM t1 FROM table1 t1 join table2 t2 ON ...

Bob Barrows

TomB wrote:
Really? I didn't know that. Doesn't really make any sense though,
does it?

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:OD**************@TK2MSFTNGP10.phx.gbl...
> Tom B wrote:
>> I like this line
>> Response.Write "Error code: " & err.number & "<br/>" response.Write
>> sqlHold very good idea.
>>
>> A Delete statement doesn't use an asterisk (and most would tell you
>> neither does a Select) because it deletes the entire row, you can't
>> delete just some columns.
>>
>
> Given that the OP is using SQL Server, this statement is correct.
> However, if he was using Jet, "delete * from ..." is a perfectly
> acceptable JetSQL query, and in versions A97 and earlier was the
> required syntax.
>
> Bob Barrows
>
> --
> Microsoft MVP - ASP/ASP.NET
> Please reply to the newsgroup. This email account is my spam trap so
> I don't check it very often. If you must reply off-line, then remove
> the "NO SPAM"


--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


Jul 19 '05 #10

P: n/a
MC
the connection string looks like this:-

conn.open "Provider=SQLOLEDB; Data Source = (local); Initial Catalog =
LibrarySQL; User Id = sa; Password=*****"

This is SQL authentication isn't it? How and where does IIS force windows
authentication?
"Aaron Bertrand - MVP" <aa***@TRASHaspfaq.com> wrote in message
news:eh**************@TK2MSFTNGP12.phx.gbl...
What does your connection string look like? Are you using SQL
authentication (then you need to worry about the username you use in the
connection string), or Windows authentication (then you need to worry about IUSR_WebServer *or* the authenticated user(s) if IIS is also forcing windows auth).

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/


"MC" <maxcoppin@-don't-send-me-any-spam-btinternet.com> wrote in message
news:5gqoc.46$Et.38@newsfe6-win...
Thanks for the help guys.

I've run SQL profiler and it appears to execute the delete statement AND

the
same statement with a "SELECT * FROM" straight afterwards. I think it's a permissions problem still. When using access I know the IUSR_SERVER user account has to have the approptiate permissions on the access file but
what's the SQL equivalent?
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:Oj**************@tk2msftngp13.phx.gbl...
I didn't say it made sense :-)

I used A95 and A97 for years before I started with SQL Server. You can
imagine how hard it was to get out of the habit of typing "DELETE * FROM ..."

The JetSQL syntax for multiple table delete and update statements is
different from T-SQL's. In JetSQL, you would do this to delete records

from
table1 that have matching records in table2:

DELETE table1.* FROM table1 join table2 ON ...

So that's the reason the * is allowed in the statement: it allows you to specify which table to delete the records from.
The equivalent T-SQL query would be:

DELETE FROM t1 FROM table1 t1 join table2 t2 ON ...

Bob Barrows

TomB wrote:
> Really? I didn't know that. Doesn't really make any sense though,
> does it?
>
> "Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
> news:OD**************@TK2MSFTNGP10.phx.gbl...
>> Tom B wrote:
>>> I like this line
>>> Response.Write "Error code: " & err.number & "<br/>" response.Write >>> sqlHold very good idea.
>>>
>>> A Delete statement doesn't use an asterisk (and most would tell you >>> neither does a Select) because it deletes the entire row, you can't >>> delete just some columns.
>>>
>>
>> Given that the OP is using SQL Server, this statement is correct.
>> However, if he was using Jet, "delete * from ..." is a perfectly
>> acceptable JetSQL query, and in versions A97 and earlier was the
>> required syntax.
>>
>> Bob Barrows
>>
>> --
>> Microsoft MVP - ASP/ASP.NET
>> Please reply to the newsgroup. This email account is my spam trap so >> I don't check it very often. If you must reply off-line, then remove >> the "NO SPAM"

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.



Jul 19 '05 #11

P: n/a
On Wed, 12 May 2004 15:11:31 +0100, "MC"
<maxcoppin@-don't-send-me-any-spam-btinternet.com> wrote:
Thanks for the help guys.

I've run SQL profiler and it appears to execute the delete statement AND the
same statement with a "SELECT * FROM" straight afterwards. I think it's a
permissions problem still. When using access I know the IUSR_SERVER user
account has to have the approptiate permissions on the access file but
what's the SQL equivalent?
Depends on the authentication you use. If it's Windows Integrated,
the IUSR account needs to have access on the SQL tables/database. If
you're using a SQL authentication, then it depends on that SQL user.

My personal preference for anonymous SQL use is SQL Authentication,
with the user/password in the connection string. Something like:

Provider=sqloledb;Data Source=SQLServer;Initial Catalog=Northwind;User
Id=sa;Password=password;

Naturally, not using the SA account and not having the password for it
be "password" are recommended security options... :)

In which case you create a SQL user for the connection, with the
access needed for the app in question. But that's a SQL group topic.

Jeff

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:Oj**************@tk2msftngp13.phx.gbl...
I didn't say it made sense :-)

I used A95 and A97 for years before I started with SQL Server. You can
imagine how hard it was to get out of the habit of typing "DELETE * FROM
..."

The JetSQL syntax for multiple table delete and update statements is
different from T-SQL's. In JetSQL, you would do this to delete records

from
table1 that have matching records in table2:

DELETE table1.* FROM table1 join table2 ON ...

So that's the reason the * is allowed in the statement: it allows you to
specify which table to delete the records from.
The equivalent T-SQL query would be:

DELETE FROM t1 FROM table1 t1 join table2 t2 ON ...

Bob Barrows

TomB wrote:
> Really? I didn't know that. Doesn't really make any sense though,
> does it?
>
> "Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
> news:OD**************@TK2MSFTNGP10.phx.gbl...
>> Tom B wrote:
>>> I like this line
>>> Response.Write "Error code: " & err.number & "<br/>" response.Write
>>> sqlHold very good idea.
>>>
>>> A Delete statement doesn't use an asterisk (and most would tell you
>>> neither does a Select) because it deletes the entire row, you can't
>>> delete just some columns.
>>>
>>
>> Given that the OP is using SQL Server, this statement is correct.
>> However, if he was using Jet, "delete * from ..." is a perfectly
>> acceptable JetSQL query, and in versions A97 and earlier was the
>> required syntax.
>>
>> Bob Barrows
>>
>> --
>> Microsoft MVP - ASP/ASP.NET
>> Please reply to the newsgroup. This email account is my spam trap so
>> I don't check it very often. If you must reply off-line, then remove
>> the "NO SPAM"


--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


Jul 19 '05 #12

P: n/a
> conn.open "Provider=SQLOLEDB; Data Source = (local); Initial Catalog =
LibrarySQL; User Id = sa; Password=*****"

This is SQL authentication isn't it?
Yes. However, I *strongly* recommend you don't use the sa user for your ASP
page connections, nor is it ever a good idea to expose your sa password
(even in ASP pages that reside on the file system and are "protected" from
casual viewing).
How and where does IIS force windows authentication?
I don't think this is relevant in your case, but you can disable anonymous
access in Internet Services Manager and force your users to authenticate.
Typically you would do this in an intranet environment, not internet.
I've run SQL profiler and it appears to execute the delete statement AND the
same statement with a "SELECT * FROM" straight afterwards. I think it's a
permissions problem still.


Why do you think that?

You say you get error -2147217900 ... what is the *TEXT* of the error
message? (Sorry, I haven't memorized the error code represented by every
32-bit integer.)

Also, I suspect that your page is executing multiple SQL statements, and you
are using the same variable throughout. This could easily explain how
"DELETE hold WHERE..." becomes "select * from DELETE hold WHERE..."

Maybe if you show ALL of your code, instead of only the parts you think are
relevant, you might get better answers.

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/
Jul 19 '05 #13

P: n/a
MC wrote:
the connection string looks like this:-

conn.open "Provider=SQLOLEDB; Data Source = (local); Initial Catalog =
LibrarySQL; User Id = sa; Password=*****"
This is SQL authentication isn't it?
Yes
Horribly misguided SQL authentication, but SQL authentication it is.

How and where does IIS force
windows authentication?


It doesn't. Your connection string controls it.

I've run SQL profiler and it appears to execute the delete
statement AND the same statement with a "SELECT * FROM" straight
afterwards. I think it's a permissions problem still. When using
access I know the IUSR_SERVER user account has to have the
approptiate permissions on the access file but what's the SQL
equivalent?


The sa account is "god" in your database server. It can do anything.in that
server*. There should not be any permissions problems here. You mentioned an
error code (-2147217900) in an earlier message. Please tell us the text of
the error message so we have a better chance of helping you. Are you still
getting that error now that you've corrected the statement's syntax? It
should be:

DELETE FROM hold WERE ISBN='188477766X" AND Username='test'

Bob Barrows

*including execute operating system commands, which is why you should never
use sa in your applications! You should create a sql login account with
limited permissions and use that login in your application connection
strings.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 19 '05 #14

P: n/a
>*including execute operating system commands, which is why you should never
use sa in your applications! You should create a sql login account with
limited permissions and use that login in your application connection
strings.


As a secondary part of this, is there an online resource with either
suggested permissions or where you can easily (for a Non-SQL type)
figure the best permissions? I know what I use, and I know it's not
appropriate for many other users, so I don't really have a setup to
refer people to when they have this kind of an issue.

Thanks,

Jeff
Jul 19 '05 #15

P: n/a
In most cases, a web app should use a SQL Server user in the datareader and
datawriter roles. Anything more than that is usually an exception, because
the ASP application is making stored procedure calls that require elevated
permissions (e.g. to shell out to a log file, use an extended stored
procedure, drop/create tables, etc).

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/


"Jeff Cochran" <jc*************@naplesgov.com> wrote in message
news:40***************@msnews.microsoft.com...
*including execute operating system commands, which is why you should neveruse sa in your applications! You should create a sql login account with
limited permissions and use that login in your application connection
strings.


As a secondary part of this, is there an online resource with either
suggested permissions or where you can easily (for a Non-SQL type)
figure the best permissions? I know what I use, and I know it's not
appropriate for many other users, so I don't really have a setup to
refer people to when they have this kind of an issue.

Thanks,

Jeff

Jul 19 '05 #16

This discussion thread is closed

Replies have been disabled for this discussion.