Allowing SQL queries that view data not modify it

Question

I am working on an application that will allow users to create queries on their own to view data in their database. However the stipulation is that the application should prevent any modification of the tables and data stored in the database. The Application will be written in C#. Any good suggestions of how this could be done? Possible idea that I have thought of:

• Parse SQL to filter for any reserve word that may alter data(i.e. insert, alter, ect)
• There maybe a setting that may prevent modification from this applications connection.

Any suggestion to block any changes made from this application to prevent any chance of a user error or attempt to modify tables of data is much appreciated.

Answer 1

This is usually handled by giving users access to (non-updatable) views, but not to tables.

Answer 2

IMHO, the best way is to create a user that can only do select on specified tables. And then use that user for connection.

Answer 3

This needs to be handled at the user level rather than the query level. When you set up your app, you'll need to make sure that the account used to run the queries does not have any dbwriter permissions.

Answer 4

You should run your queries as a user that doesn't have write permission.

Answer 5

Any decent DBMS should have these protections already built in (at a per-user level). You just make sure the only access they have is read-only.

Then you don't have to worry about anything that they do. Let them try to insert, update and delete all they want.

It's a basic tenet of databases that they are responsible for their own security and integrity. You never leave that up to an external application since any monkey can write an application to connect to the database that doesn't follow the rules.