database access & asp.net

  • Thread starter Thread starter Murphy
  • Start date Start date
M

Murphy

If a user has permissions to add and delete rows from a table i.e. adding
and removing items from an order what is to stop a malicious user changing
the product code in the form and then adding to or removing items to/from
another user's order ?

How do we ensure that the rows the user is editing are rows the user has
permission to edit ?

Thanks
 
Two words Application Architecture. Seriously you need to implement your
own security model if you want to provide for row level and field level
security.

Secondly if you are developing a web app the user should not have rights to
your database. The connection should be handled by an "Application User"
that in turn is managed by a Connection Pool.

Dan
 
Are there any security models that have been tried and proven, don't want to
reinvent the wheel ?
Thanks
 
There are many security models but none that I have seen that will implement
row level security in your database. It has been my experience that if you
want granular security you will need to implement it on your own.


Dan
 
Back
Top