Security hole?

[LL]

Hi,

If Assign ASP.NET User as db_owner to the login user, can possible the login
user do some bad thing to my db system? Thanks...





sp_addrolemember 'db_owner', <ASP.NET User Account>"

 

[John Doe]

db_owner can do anything in the database so that is
opening up a large hole. In case you have not written an
application that is not vurnable to sql injection.

 

[LL]

Thanks for the hlep.

How to avoid that? I only need the login user can insert, modify to the
specify DB.

 

[Jerry III]

Just use the permissions button in Enterprise manager or lookup GRANT in
T-SQL to setup only the permissions your application login needs.

Jerry