advertisement
Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX

Are Java's Days Numbered?
COBOL, Programming Language of the Future
RESTful Service Discovery Explained
Monitoring the Big Picture: A Modern Approach for Web Application Monitoring
Is OpenStack Truly the Linux of Cloud? Yes and No

Tip of the Day
Language: SQL
Expertise: Intermediate
May 28, 2003

Granting Permissions on Database Objects

These permissions are required for security reasons 

USE pubs
GO

CREATE PROCEDURE GeneralSelect @TableName SYSNAME
AS
EXEC ('SELECT * FROM ' + @TableName)
GO
You probably expect that your stored procedure will make a call that looks something like: 

USE pubs
EXEC GeneralSelect 'authors'
However, consider the consequences of someone passing to your stored procedure the following: 

USE pubs
EXEC GeneralSelect 'authors DROP TABLE authors'
If you, the creator of the stored procedure, were a member of the db_owner role in the pubs database and your users needed only the EXECUTE privilege on the stored procedure, then this command would drop the authors table. SQL Server protects against such unauthorized actions by requiring that users possess the appropriate permissions on the database objects referenced within dynamic SQL statements.
Devington B.
 
Submit a Tip Browse "Database Development" Tips Browse All Tips
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 
advertisement
advertisement
Sitemap