Is it bad practice to use 'Select * ' from a security perspective?
Thanks for any advice.
Ray
13  1713 
In general its not a security concern unless you are restricting columns
through a view. New columns would show up (assuming the view was
refreshed). Basically select * should be avoided unless it is the intend to
expose all columns no matter what. The bigger concern is when it's embeded
in code. The code could break if columns are changed.
"Ray Allison" <ra*********@tiscali.co.uk> wrote in message
news:43**********@mk-nntp-2.news.uk.tiscali.com... Is it bad practice to use 'Select * ' from a security perspective?
Thanks for any advice.
Ray
You never use SELECT * in production code (except in an EXISTS()
predicate). Any change to the base table will mess up the host program
that was expecting few or more columns, expose columns that you might
now want exposed, blow up VIEWs built on this query, etc.
Danny wrote: In general its not a security concern unless you are restricting columns
through a view. New columns would show up (assuming the view was
refreshed). Basically select * should be avoided unless it is the intend to
expose all columns no matter what. The bigger concern is when it's embeded
in code. The code could break if columns are changed.
If you have "select * from table1" in code and drop column2 how is that
different from having "select column1, column2, column3 from table1" in
code and dropping column2? (apart from the error ocurring on a different
line of code of course:-))
because you would know exactly which columns were needed in the main
app, i.e. coumn1,2 and 3 as opposed to "all of them"
pb648174 wrote: because you would know exactly which columns were needed in the main
app, i.e. coumn1,2 and 3 as opposed to "all of them"
All that tells me is that you don't need column4.
Having "select column1, column2, column3 from table1" doesn't
necessarily mean you need column1, column2 and column3 any more or less
than "select *", the code later on will determine those columns that you
need.
You could start with "select c1,c2,c3" then end up not using c2 at all.
On Mon, 05 Dec 2005 08:33:02 +0000, Trevor Best wrote: Danny wrote: In general its not a security concern unless you are restricting columns
through a view. New columns would show up (assuming the view was
refreshed). Basically select * should be avoided unless it is the intend to
expose all columns no matter what. The bigger concern is when it's embeded
in code. The code could break if columns are changed.
If you have "select * from table1" in code and drop column2 how is that
different from having "select column1, column2, column3 from table1" in
code and dropping column2? (apart from the error ocurring on a different
line of code of course:-))
Hi Trevor,
Have you ever had the task to do impact analysis for an impending
change? Life is good if you can search your sources for a column name
and KNOW that you have all occurences.
Also - consider what happens if someone drops and recreates the tables
with the columns in a different order. Best case, you get an error
becuase datatypes don't match anymore. Worst case, you don't....
Best, Hugo
--
(Remove _NO_ and _SPAM_ to get my e-mail address)
Trevor Best (no****@localhost.invalid) writes: If you have "select * from table1" in code and drop column2 how is that
different from having "select column1, column2, column3 from table1" in
code and dropping column2? (apart from the error ocurring on a different
line of code of course:-))
The difference is that
1) "SELECT column1, column2..." will bomb. A SELECT * could continue to
work, but yeild incorrect results.
2) If you are using stored procedures, you can use sysdepends to track
whether the column is used, and you would know that it is used. With
SELECT * you don't have an idea.
3) Even if you don't use stored procedure, you can still search the code
for references to the column.
--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se
Books Online for SQL Server 2005 at http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at http://www.microsoft.com/sql/prodinf...ons/books.mspx
interesting. so what if there is security on a given column, say
payrolldollars that you don't want some users to see. so you limit that
access using sql security.
Will the sproc perhaps get unintended access to a web viewer for this
data???????
hai,
help me out of a select option that should makes to display only the
maximum number of subordinate to their immediate senior in an
organization.
like...
MD > 3 director > each has 2,3,4 person reporting subordinate
respectively.
i want to display one director have maximum 4 subordinates.
that 4 subordinates to be displayed.
empid name reporting to designation
1 aaa null MD
2 bbb aaa pm
3 ccc aaa pm
4 ddd aaa pm
5 eee bbb pl
6 f f f bbb pl
7 ggg ccc pl
8 hhh ccc pl
9 i i i ccc pl
10 j j j ddd SE
11 kkk ddd SE
12 l l l ddd SE
13 mmm ddd SE
I want to display the information of employee,whom they are DIRECTLY
Reporting to,who is having maximum number of direct subordianate.i want
to display of SE(designation) to be get display.
help me out of a select statement to view while execution.
(J.*********@gmail.com) writes: help me out of a select option that should makes to display only the
maximum number of subordinate to their immediate senior in an
organization.
like...
MD > 3 director > each has 2,3,4 person reporting subordinate
respectively.
i want to display one director have maximum 4 subordinates.
that 4 subordinates to be displayed.
empid name reporting to designation
1 aaa null MD
2 bbb aaa pm
3 ccc aaa pm
4 ddd aaa pm
5 eee bbb pl
6 f f f bbb pl
7 ggg ccc pl
8 hhh ccc pl
9 i i i ccc pl
10 j j j ddd SE
11 kkk ddd SE
12 l l l ddd SE
13 mmm ddd SE
I want to display the information of employee,whom they are DIRECTLY
Reporting to,who is having maximum number of direct subordianate.i want
to display of SE(designation) to be get display.
help me out of a select statement to view while execution.
So there is a standard recommendation for this sort of post, and
that is that you include:
1) CREATE TABLE statment for your table(s).
2) INSERT statments with sample data.
3) The desired result given the sample.
It makes it possible to copy and paste into Query Analyzer to develop
a tested solution. It also serves to sort out any ambiguities in
your narrative. I have read your post a couple of times, but I don't
really understand what you want. Since I want to give you something
that works, I need to ask you for more detailed input.
--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se
Books Online for SQL Server 2005 at http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at http://www.microsoft.com/sql/prodinf...ons/books.mspx
ttt.
if you use select *, can u allow unintended access and "bypass" the
"intent" of the security?
I'm rusty. I trust the peanut gallery will assist me with syntax
issues.
select employee.name, boss.name, count(employee.empid) from people as
employee
left outer join people as boss on employee.empid = boss.reportingto
where designation = 'PM'
group by employee.name, boss.name
you want the left outerjoin because sooner or later you will run into
the president of the company, who has no boss.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: JT |
last post by:
I have an input form for which I've created a "matrix" for user input.
Basically, the user chooses a radio button and then through javascript, a
select box is displayed to define a value for that...
|
by: Elroyskimms |
last post by:
Using SQL 2000...
tblCustomer:
CustomerID int
CompanyName varchar(20)
HasRetailStores bit
HasWholesaleStores bit
HasOtherStores bit
tblInvoiceMessages:
|
by: bobsawyer |
last post by:
I've been building a series of SELECT lists that are populated
dynamically using HTTPRequest. Things are going pretty well, and I've
got the whole thing working flawlessly in Mozilla/Firebird....
|
by: dumbledad |
last post by:
Hi All,
I'm confused by how to replace a SELECT statement in a SQL statement
with a specific value. The table I'm working on is a list of words (a
column called "word") with an index int...
|
by: serge |
last post by:
Using "SELECT * " is a bad practice even
when using a VIEW instead of a table?
I have some stored procedures that are
identical with the difference of one statement
in the WHERE clause. If I...
|
by: serena.delossantos |
last post by:
Trying to insert into a history table. Some columns will come from
parameters sent to the store procedure. Other columns will be filled
with a separate select statement. I've tried storing the...
|
by: chunk1978 |
last post by:
hey everyone,
i've been trying to solve this problem for 2 days straight, with no end in sight. i would greatly appreciate anyone's help.
EXPLANATION: There are 3 Select Menus. The 1st and...
|
by: naima.mans |
last post by:
Hello,
i want to select 2 following brothers nodes wich are one under another
(one closed to another)... i have done one xslt file... but it's not
really good..
for example:
the xml file:...
|
by: rn5a |
last post by:
A Form has 2 select lists. The 1st one whose size is 5 (meaning 5
options are shown at any given time) allows multiple selection whereas
the 2nd one allows only 1 option to be selected at a time.
...
|
by: Apaxe |
last post by:
In the database i have a table with this information:
key_id =1
key_desc =43+34+22+12
I want sum the values in key_desc. Something like:
SELECT key_desc FROM table
But the result of...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome former...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
