wootscootinboogie
Reputation: 8695
Security against select expressions in SQL
Considering that you can use a select expression in a query
select table1.ID, (select table2.salary, table1.id from table2 inner join...
from table1
and retrieve data that you don't have to reference in the from statement, how is this guarded against as far as security is concerned in enterprise DBMSs? do table permissions work so that you can not allow any references to them (since this case it isn't in your from statement)
Upvotes: 0
Views: 183
Answers (1)
anon
Reputation:
You can enforce column-level permissions. So that it doesn't matter if the request came from the select list, a subquery, where exists, etc.:
DENY SELECT ON OBJECT::dbo.table2(salary) TO [user/role];
You can also deny select on the underlying table entirely, and create a view that only exposes the columns you wish users to see. Or allow them to execute a stored procedure that only selects a subset.
Upvotes: 2
Related Questions
- Security-check for custom SQL SELECT query in C#
- Properly securing SQL statement with parameters
- How to let app users execute arbitrary SELECT statements securely?
- Security in SQL Server
- ASP - SQL injection protection in the SELECT clause
- How to protect SQL Server stored procedures
- Sql server security principles
- SQL Server and Security
- sql server 2008 security
- Enforce query restrictions