News:

This week IPhone 15 Pro winner is karn
You can be too a winner! Become the top poster of the week and win valuable prizes.  More details are You are not allowed to view links. Register or Login 

Main Menu

Granting Permissions on Database Objects

Started by Sunite, October 02, 2007, 06:53:03 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Sunite

October 02, 2007, 06:53:03 PM
Granting Permissions on Database Objects

Q

Why do I have to give permissions on the underlying database objects when I'm using dynamic SQL statements?



A


These permissions are required for security reasons. Consider the following simple stored procedure:

USE pubs
GO

CREATE PROCEDURE GeneralSelectTableName SYSNAME
AS
EXEC ('SELECT * FROM ' + TableName)
GO

You probably expect that your stored procedure will make a call that looks something like:

USE pubs
EXEC GeneralSelect 'authors'

However, consider the consequences of someone passing to your stored procedure the following:

USE pubs
EXEC GeneralSelect 'authors DROP TABLE authors'

If you, the creator of the stored procedure, were a member of the db_owner role in the pubs database and your users needed only the EXECUTE privilege on the stored procedure, then this command would drop the authors table. SQL Server protects against such unauthorized actions by requiring that users possess the appropriate permissions on the database objects referenced within dynamic SQL statements.



Print
Go Up Pages1
User actions