469,356 Members | 2,190 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,356 developers. It's quick & easy.

database access & asp.net

If a user has permissions to add and delete rows from a table i.e. adding
and removing items from an order what is to stop a malicious user changing
the product code in the form and then adding to or removing items to/from
another user's order ?

How do we ensure that the rows the user is editing are rows the user has
permission to edit ?

Thanks
Jul 21 '05 #1
3 1056
Two words Application Architecture. Seriously you need to implement your
own security model if you want to provide for row level and field level
security.

Secondly if you are developing a web app the user should not have rights to
your database. The connection should be handled by an "Application User"
that in turn is managed by a Connection Pool.

Dan

"Murphy" <mu****@murphy.com> wrote in message
news:%2*******************@TK2MSFTNGP09.phx.gbl...
If a user has permissions to add and delete rows from a table i.e. adding
and removing items from an order what is to stop a malicious user changing
the product code in the form and then adding to or removing items to/from
another user's order ?

How do we ensure that the rows the user is editing are rows the user has
permission to edit ?

Thanks

Jul 21 '05 #2
Are there any security models that have been tried and proven, don't want to
reinvent the wheel ?
Thanks

"solex" <so***@nowhere.com> wrote in message
news:%2*****************@TK2MSFTNGP10.phx.gbl...
Two words Application Architecture. Seriously you need to implement your
own security model if you want to provide for row level and field level
security.

Secondly if you are developing a web app the user should not have rights to your database. The connection should be handled by an "Application User"
that in turn is managed by a Connection Pool.

Dan

"Murphy" <mu****@murphy.com> wrote in message
news:%2*******************@TK2MSFTNGP09.phx.gbl...
If a user has permissions to add and delete rows from a table i.e. adding and removing items from an order what is to stop a malicious user changing the product code in the form and then adding to or removing items to/from another user's order ?

How do we ensure that the rows the user is editing are rows the user has
permission to edit ?

Thanks


Jul 21 '05 #3
There are many security models but none that I have seen that will implement
row level security in your database. It has been my experience that if you
want granular security you will need to implement it on your own.
Dan

"Murphy" <mu****@murphy.com> wrote in message
news:eo****************@TK2MSFTNGP09.phx.gbl...
Are there any security models that have been tried and proven, don't want to reinvent the wheel ?
Thanks

"solex" <so***@nowhere.com> wrote in message
news:%2*****************@TK2MSFTNGP10.phx.gbl...
Two words Application Architecture. Seriously you need to implement your
own security model if you want to provide for row level and field level
security.

Secondly if you are developing a web app the user should not have rights

to
your database. The connection should be handled by an "Application User" that in turn is managed by a Connection Pool.

Dan

"Murphy" <mu****@murphy.com> wrote in message
news:%2*******************@TK2MSFTNGP09.phx.gbl...
If a user has permissions to add and delete rows from a table i.e.

adding and removing items from an order what is to stop a malicious user changing the product code in the form and then adding to or removing items to/from another user's order ?

How do we ensure that the rows the user is editing are rows the user has permission to edit ?

Thanks



Jul 21 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

9 posts views Thread by Earl Partridge | last post: by
reply views Thread by bettina | last post: by
5 posts views Thread by XFER | last post: by
3 posts views Thread by blantz | last post: by
3 posts views Thread by MW de Jager | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
1 post views Thread by Marylou17 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.