Search Results
6/18/2025, 10:07:12 PM
>>105634002
>Our client apps only execute stored procedures with sanitized inputs. It's a dumb solution,
>but it's secure
you can't be serious
so the client potentially can execute arbitrary SQL queries
it takes only one person to modify the application or extract a connection string
security through (easily circumventable) obscurity is not a solution
does at least the SQL user you are using have a security permission to only execute stored procedures, and only some of them?
any permissions on those? e.g. can any user potentially get/modify/delete every data if they know they call the correct sp?
>Our client apps only execute stored procedures with sanitized inputs. It's a dumb solution,
>but it's secure
you can't be serious
so the client potentially can execute arbitrary SQL queries
it takes only one person to modify the application or extract a connection string
security through (easily circumventable) obscurity is not a solution
does at least the SQL user you are using have a security permission to only execute stored procedures, and only some of them?
any permissions on those? e.g. can any user potentially get/modify/delete every data if they know they call the correct sp?
Page 1