Hi Martin >The only way that I can see to close this hole is for UniObjects to have an >option to restrict which operations the client end can request. At the >highest level, this should restrict the client so that all he can do is >call >existing catalogued programs that are compiled with some special compiler >mode directive.
We are already doing this in the Banking environment and there are already facilities to cover this. This issue applies to all RDBMS not just U2. I could from Excel run an SQL call to update any database and even from the internet people have been able to break into an RDBMS by changing the SQL queries in html calls. All RDBMS encourage people to use stored procedures and restrict general SQL access for this reason. Within UniVerse you can do the same thing. You can restrict user read, write, delete access to the database either setting OS level file access or by SQL security access. With the AUTHORIZE statement, you can allow subroutines to have a different access rights. Thus from UniObects one can only access the database through subroutines and they cannot do anything else. Regards David Jordan ------- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
