I am trying to insert records via ASP, with a user that has only write
access to the table (db_datawriter, db_denydatareader).
That way, if the server is ever compromised, the access information
stored in the source code's connection string will not allow anybody to
actually read the database.
The problem is that I would like to use ADO methods to insert the data
(to prevent SQL injections), but I can't seem to get the right
connection. It works in plain SQL, but I'd rather not use it.
My current code looks like this:
connection="Provider=SQLOLEDB.1;User ID=DBwriter;Password=XXX;Data
Source=MYSERVER;Initial Catalog=MYDB;"
set conn=server.createobject("ADODB.Connection")
conn.mode=2 ' adModeWrite
conn.open connection
Set rs = Server.CreateObject ("ADODB.Recordset")
rs.Open "MYTABLE", conn, adOpenKeySet, adLockPessimistic, adCmdTable
rs.AddNew
rs.Fields("testfield") = "TESTDATA"
rs.Update
And the error I get is:
Microsoft OLE DB Provider for SQL Server (0x80040E09)
SELECT permission denied on object 'MYTABLE', database 'MYDB', owner
'dbo'.
(If I use a User with read privileges in the connection string
everything works fine.)