Home Forums Article Discussions Article Discussions by Author Discuss Content Posted by Yaroslav Pentsarskyy Preventing Identity Theft Using SQL Server RE: Preventing Identity Theft Using SQL Server

  • September 20, 2006 at 2:05 am

    #661425

    I understand the approach, but I don't understand the reasons for it.

    Wouldn't it be a lot easier to just:

    1. Create stored procedures for all data modifications;

    2. Have checks for validity of any modification in those stored procedures, not in the web application (or at least not ONLY in the web application);

    3. Make sure that these stored procedures have the same owner as the tables;

    4. Deny all users all rights to all tables;

    5. Grant execute rights on the stored procedures to the userids that need those rights.

    This way, even if a hacker found his way into the database server, he'd still have no way to alter data. The only thing he could do is execute the stored procedures - and those will still perform all their checks before carrying out any modification.

    Am I missing something?

    Best, Hugo

    Hugo Kornelis, SQL Server/Data Platform MVP (2006-2016)
    Visit my SQL Server blog: https://sqlserverfast.com/blog/
    SQL Server Execution Plan Reference: https://sqlserverfast.com/epr/