Mercadante, Thomas F wrote: >Jon, > >You make a table read-only by granting only "read" access to it. > >Tom > >-----Original Message----- >From: Knight, Jon [mailto:jknight@xxxxxxxxxxxxxx] >Sent: Monday, January 10, 2005 12:25 PM >To: oracle-l@xxxxxxxxxxxxx >Subject: RE: SQL Injection Concern > >Thanks all for the suggestions. BTW, We have an upgrade on the way, but >we're still on 8i ... > >A read-only table is new to me. How do I make it read only? By putting it >in a read only tablespace? Or, is there another way? > >Thanks, >Jon > > -----Original Message----- >From: Mercadante, Thomas F [mailto:thomas.mercadante@xxxxxxxxxxxxxxxxx] >Sent: Monday, January 10, 2005 10:48 AM >To: 'jknight@xxxxxxxxxxxxxx'; oracle-l@xxxxxxxxxxxxx >Subject: RE: SQL Injection Concern > >Can you not control what gets put into this table? Make it read-only? > >-----Original Message----- >From: Knight, Jon [mailto:jknight@xxxxxxxxxxxxxx] >Sent: Monday, January 10, 2005 11:33 AM >To: oracle-l@xxxxxxxxxxxxx >Subject: SQL Injection Concern > > We've got a table listing stored programs that need to execute after >various application activity. My first thought is to just use "execute >immediate" on the stored program. But this will allow anyone to insert a >row into our table and execute arbitrary code. I'm interested in any >suggestions or solutions you've implemented to tighten up security in such a >situation. > >Thanks, >Jon Knight >Senior Database Analyst >2525 Horizon Lake Drive, Suite 120 >Memphis, TN 38133 >JKnight@xxxxxxxxxxxxxx >901.371.8000 - Phone >800.238.7675 - Phone >901.380.8336 - Fax >www.FirstData.com >First Data's merger with Concord creates "One Company" with enhanced choice, >voice and innovation for all customers. > > > create or replace trigger readonly before insert, update or delete begin raise_application_error(-20001,'Table is READ ONLY. Please restart the database and retry'); end; -- Mladen Gogala Oracle DBA Ext. 121 -- //www.freelists.org/webpage/oracle-l