473,396 Members | 2,059 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > microsoft sql server > questions > inserting records with limited privileges

Join Bytes to post your question to a community of 473,396 software developers and data experts.

Inserting Records with limited privileges

I am trying to insert records via ASP, with a user that has only write
access to the table (db_datawriter, db_denydatareader).
That way, if the server is ever compromised, the access information
stored in the source code's connection string will not allow anybody to
actually read the database.

The problem is that I would like to use ADO methods to insert the data
(to prevent SQL injections), but I can't seem to get the right
connection. It works in plain SQL, but I'd rather not use it.

My current code looks like this:
connection="Provider=SQLOLEDB.1;User ID=DBwriter;Password=XXX;Data
Source=MYSERVER;Initial Catalog=MYDB;"
set conn=server.createobject("ADODB.Connection")
conn.mode=2 ' adModeWrite
conn.open connection

Set rs = Server.CreateObject ("ADODB.Recordset")
rs.Open "MYTABLE", conn, adOpenKeySet, adLockPessimistic, adCmdTable
rs.AddNew
rs.Fields("testfield") = "TESTDATA"
rs.Update
And the error I get is:
Microsoft OLE DB Provider for SQL Server (0x80040E09)
SELECT permission denied on object 'MYTABLE', database 'MYDB', owner
'dbo'.

(If I use a User with read privileges in the connection string
everything works fine.)

Jul 23 '05 #1
3 2270
Create a stored procedure to do this and then call the proc from ASP.

Stored procedures are a powerful way to create a secure data-access
layer because you can deny users all permissions on table objects and
just grant them execute permission on the procs you want them to use.
This approach also protects against SQL Injection, provided you avoid
dynamic code in your procs.

--
David Portas
SQL Server MVP
--

Jul 23 '05 #2
(st************@gmail.com) writes:
My current code looks like this:
connection="Provider=SQLOLEDB.1;User ID=DBwriter;Password=XXX;Data
Source=MYSERVER;Initial Catalog=MYDB;"
set conn=server.createobject("ADODB.Connection")
conn.mode=2 ' adModeWrite
conn.open connection

Set rs = Server.CreateObject ("ADODB.Recordset")
rs.Open "MYTABLE", conn, adOpenKeySet, adLockPessimistic, adCmdTable
rs.AddNew
rs.Fields("testfield") = "TESTDATA"
rs.Update
And the error I get is:
Microsoft OLE DB Provider for SQL Server (0x80040E09)
SELECT permission denied on object 'MYTABLE', database 'MYDB', owner
'dbo'.

(If I use a User with read privileges in the connection string
everything works fine.)


When you use adCmdTable, ADO reads the row in the table - or rather
it tries to do.

You should not use Open at all. Just send parameterized INSERT statements
with adCmdText:

cmd.CommandText = INSERT tbl(col1, col2) VALUES (?, ?)
cmd.CreateParameter("@par1", ad..., ,, Value)
cmd.CreateParameter(...)
cmd.Execute ,,adExcuteDirect

Please see the ADO documentation for all details on CreateParameter.

You can also use stored procedure as suggested by David. In such case
you should use command type adCmdStoredProcedure. You would pass
parameters in the same way as in the snipped above. Stored Procedures
can prove to be a performance booster in your case.

--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinf...2000/books.asp
Jul 23 '05 #3
Thanks for the pointer towards stored procedures!

I just got into 'industrial strength' databases (coming from Access),
and after checking out all the things you can do with SPs, I'll NEVER
go back!

Jul 23 '05 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
no signin after changing account to limited
by: Gary L. Drescher | last post by:
Quick user question. I changed an XP Pro user account from Administrator to Limited, and then found I cannot not sign in to .NET 1.1 (via MSN Messenger 6.1 or via Money 2003, for example) from...
.NET Framework
8
Syntax to add records if primary key = list
by: tom | last post by:
I am new to SQL administration. >From a list of IDs that are the primary key in one table (i.e. Customer Table), I want to make changes in tables that use those IDs as a foreign key. ...
Microsoft SQL Server
6
Data is not inserting inn database
by: Pushpendra Vats | last post by:
Hi , I am trying to insert records into database. I am trying to write the following code. On button1 click event i am inserting five records and after that i am calling the update method of...
Visual Basic .NET
15
Help! inserting records and functions
by: Jaraba | last post by:
I am working in a project that I need to parse an arrayt an select records based upon the values parsed. I used the functions developed by Knut Stolze in his article 'Parsing Strings'. I am...
DB2 Database
1
Fastly Inserting Records
by: gouse | last post by:
Hello Friends, In a Table I am inserting more than 50,000 Records one by one. It was taking a lot of time . Is it There any good approach/solution for inserting records more than 50,000 one by one...
PostgreSQL Database
7
Duplicate records while inserting the data
by: ebindia0041 | last post by:
This is like the bug from hell. It is kind of hard to explain, so please bear with me. Background Info: SQL Server 7.0, Asp.net 1.1 with c# I'm inserting simple records into a table. But one...
.NET Framework
7
Inserting Multiple Records using one form
by: flashguy | last post by:
Hi, Looking online for this related topic that will be exclusively used for MS ACCESS (2000 preferably) is extremely limited. Is it possible to add Multiple records with one click of a buttton...
Microsoft Access / VBA
2
Problem inserting data using checkboxes and input type=text
by: AlexanderDeLarge | last post by:
Hi! I got a problem that's driving me crazy and I'm desperately in need of help. I'll explain my scenario: I'm doing a database driven site for a band, I got these tables for their discography...
PHP
5
Access not inserting records properly
by: rando1000 | last post by:
Okay, here's my situation. I need to loop through a file, inserting records based on a number field (in order) and if the character in a certain field = "##", I need to insert a blank record. ...
Microsoft Access / VBA
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!