database access & asp.net

Two words Application Architecture. Seriously you need to implement your
own security model if you want to provide for row level and field level
security.

Secondly if you are developing a web app the user should not have rights to
your database. The connection should be handled by an "Application User"
that in turn is managed by a Connection Pool.

Dan

"Murphy" <mu****@murphy.com> wrote in message
news:%2*******************@TK2MSFTNGP09.phx.gbl...

If a user has permissions to add and delete rows from a table i.e. adding
and removing items from an order what is to stop a malicious user changing
the product code in the form and then adding to or removing items to/from
another user's order ?

How do we ensure that the rows the user is editing are rows the user has
permission to edit ?

Thanks

Are there any security models that have been tried and proven, don't want to
reinvent the wheel ?
Thanks

"solex" <so***@nowhere.com> wrote in message
news:%2*****************@TK2MSFTNGP10.phx.gbl...

Two words Application Architecture. Seriously you need to implement your
own security model if you want to provide for row level and field level
security.

Secondly if you are developing a web app the user should not have rights to your database. The connection should be handled by an "Application User"
that in turn is managed by a Connection Pool.

Dan

"Murphy" <mu****@murphy.com> wrote in message
news:%2*******************@TK2MSFTNGP09.phx.gbl...

If a user has permissions to add and delete rows from a table i.e. adding and removing items from an order what is to stop a malicious user changing the product code in the form and then adding to or removing items to/from another user's order ?

How do we ensure that the rows the user is editing are rows the user has
permission to edit ?

Thanks

There are many security models but none that I have seen that will implement
row level security in your database. It has been my experience that if you
want granular security you will need to implement it on your own.
Dan

"Murphy" <mu****@murphy.com> wrote in message
news:eo****************@TK2MSFTNGP09.phx.gbl...

Are there any security models that have been tried and proven, don't want to reinvent the wheel ?
Thanks

"solex" <so***@nowhere.com> wrote in message
news:%2*****************@TK2MSFTNGP10.phx.gbl...

Two words Application Architecture. Seriously you need to implement your

own security model if you want to provide for row level and field level
security.

Secondly if you are developing a web app the user should not have rights

to

your database. The connection should be handled by an "Application User" that in turn is managed by a Connection Pool.

Dan

"Murphy" <mu****@murphy.com> wrote in message
news:%2*******************@TK2MSFTNGP09.phx.gbl...

If a user has permissions to add and delete rows from a table i.e.

adding and removing items from an order what is to stop a malicious user changing the product code in the form and then adding to or removing items to/from another user's order ?

How do we ensure that the rows the user is editing are rows the user has permission to edit ?

Thanks