218 questions
0
votes
2
answers
135
views
Not able to pass Column names as parameterised in ADD COLUMNS command in databricks-sql connector (needed to resolve SQL Injection Snyk Vulnerability)
I'm developing a web application that interacts with Databricks using the Databricks SQL connector. The application allows users from different teams to add/rename/delete columns of existing tables. ...
-1
votes
1
answer
189
views
Is it safe to expose a limited SQL query service endpoint? [closed]
We want to create a read-only query API endpoint, allowing clients to access their data by sending raw SQL strings. We would parse the queries as AST and validate them against our restricted schema, ...
- 139
0
votes
0
answers
219
views
Multitenancy with Database connection using credentials to achieve pure isolation and increases security
Using "single database multi-schema" strategy of multitenancy I want to make purely isolated connections to database for each tenant.
I thought to reach it in small phases :
Phase 1 : ...
- 904
1
vote
0
answers
153
views
Can I protect T-SQL business logic from SQL Server database administrators and owners
I have a rather complex solution, with a lot of business logic within the SQL Server database, located in stored procedures and views.
As a "old school" data warehouse developer, I have ...
0
votes
1
answer
128
views
Is CouchDB Authorization Alone Sufficient For Production Apps?
Is there any case where CouchDB authorization alone is sufficient for production apps? They recommend deploying a proxy server in front of Couch but do not recommend an authorization layer / server? ...
- 18.8k
0
votes
0
answers
54
views
where to start building a web service layer to secure my database?
I have recently built an inventory system for a c# portfolio project and I have all the main functionality of the program down, the database is built and all the passwords are hashed and somewhat ...
- 1
1
vote
1
answer
634
views
How to setup row level access in Postgres without creating a user
I have an existing API connected to an AWS PostgreSQL database that uses AWS Cognito for User authentication.
The goal is for users to insert data via the API with some field mapped to their Cognito ...
- 192
0
votes
1
answer
1k
views
Hide a database from logins with VIEW ANY DATABASE permission
On our SQL Server, we have a lot of users (logins) who have 'VIEW ANY DATABASE' as an effective permission. I need to secure a single database and its tables from these users. Ideally, they shouldn't ...
- 512
1
vote
1
answer
428
views
How to give one user full access to MongoDB right after install?
I just installed MongoDB 4.4 on Ubuntu 20.04. Now, I want one user with a password to have full access (create database, write to it, delete it, etc.) over TCP port 27017. How can I do this?
- 106k
0
votes
1
answer
512
views
How to design security policies for a following system including counters in postgres/supabase if postgres functions are used?
I am unsure how to design security policies for a following system including counters in postgres/supabase. My database includes two tables:
Users:
uuid|name|follower_counter
--------------------------...
-2
votes
2
answers
1k
views
Security trigger when user is added to a database
How to implement a trigger mechanism in SQL Server that does a specific action such as send an email when a new user is added to a database.
The idea is that, there is a Data Warehouse and everyone, i....
- 601
0
votes
1
answer
562
views
Disable update, insert, delete for certain users from certain applications
Is it possible to create some "system" trigger, through which it would be possible to enable / disable the execution of update, insert, delete commands on the whole database, for certain ...
- 3
0
votes
1
answer
298
views
Deny doesn't take priority in case of permission chain?
Deny usually has more priority than grant. For example grant select is overriden if there is deny select.
However, when it comes to permission chaining, suppose user has access to the stored procedure ...
- 9,925
1
vote
0
answers
213
views
Postgres: Is Using Both Prepared Statements and Character Escaping Sufficient to Avoid Malicious User Input Attacks?
I assume if I use prepared statements and then escape all ' characters, no input any user dished up could cause me any trouble. But I know there are lots of tricky hacks out there and my assumptions ...
- 1,189
0
votes
1
answer
420
views
Connect mongoDB atlas to application using VPC without username password
I have one mongo db hosted in AWS atlas account and my application is running in AWS EC2 instance. I want to access my DB using my application by VPC peering but it always ask for username password ...
0
votes
1
answer
174
views
auto backup the data of a web project in windows 10 MYSQL 5.7
i have created an inventory system (web-based) for a store which runs only in a system hosted by the same system
i want to set a scheduled backup like if the person is entering data in the system so ...
0
votes
1
answer
157
views
Access database on instance from my pc without exposing it to internet [closed]
Background:
I'm running a last version postgresql database on an cloud instance which for the moment has almost nothing on it and since two or three weeks, It started to shutdown itself every 4 or 5 ...
- 33
0
votes
2
answers
932
views
Changing SYSDBA user password in InterBase
I am working with InterBase 2020 version. Since InterBase installs with default user SYSDBA and default password for SYSDBA as masterkey , I want to change the password for SYSDBA user.
Using gsec ...
1
vote
0
answers
540
views
Can I encrypt MySQL on Google Cloud SQL at the Schema / DB level?
We have developed a data matching application where each user can upload their data and the apply the features we provide to identify when the same entities exist in those files. While it will change ...
- 5,328
0
votes
3
answers
265
views
Views getting create automatically in Mysql
Today I noticed that suddenly, a number of views are created in my DB, most of these views deal with system performance. I am pretty sure I have not created these views, for all of then the DEFINER is
...
- 82
0
votes
1
answer
204
views
Is there a way to update a firestore's document without giving permissions to the the user?
Let me explain my issue better, the question phrasing was a little bit confusing.
I want a global "clicks" document to update each time that a user clicks in an HTML element in my webpage. ...
1
vote
1
answer
613
views
Best practice for storing sensitive connection data when connecting to a DB
I have always done my DB connection through a file like "connection.js" and it contains the sensitive data like password, user, host, etc. required for creating a db connection.
Is there an ...
- 149
0
votes
0
answers
403
views
How to Save a SQLite/Room Database that uses SQLCipher into a Filestream?
I've just learned how to use SQLCipher here and I want to be able to save it to an SQLite file and I stumbled upon this approach where the file is saved via FileOutputStream. However, the ...
- 13
0
votes
1
answer
3k
views
Azure - Enable/Disable database setting for security purposes
We have certain security requirements in order for our app to go live within our orgainisation.
We are using the Microsoft azure platform to host the application along with a Azure SQL server and ...
- 345
0
votes
1
answer
413
views
mysql secure installation seems to be not secure
After successful mysql_secure_installation
Output:
mysql_secure_installation
Enter current password for root (enter for none):
Switch to unix_socket authentication [Y/n] n
Change the root password? [...
- 1
0
votes
1
answer
141
views
Is it possible to hijack a result of a query from a app that come from public network?
In short,
We made an app that interacts with a server to fetch some data.
But now we think about security and here is our question :
Can a man in the middle attack happen ? Can someone use something ...
- 11
9
votes
4
answers
18k
views
SQL Server 2019 - The server principal "sa" is not able to access the database "DB_NAME" under the current security context
I've written the following stored procedure:
CREATE PROCEDURE dbo.usp_DEMO
@LOGINSQL VARCHAR(30),
@DBNAME VARCHAR(40)
WITH EXECUTE AS owner
AS
DECLARE @SQL NVARCHAR(1000)
SET @SQL ...
- 123
0
votes
1
answer
232
views
Firebase/Firestore - database has insecure rules?
I have a SwiftUI application, which uses Firebase as a back end, and my rules are something like this:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// ...
- 2,096
0
votes
1
answer
3k
views
Can I hash / encrypt a database TEXT column?
Apologies in advance for what may be a silly question, but I am working on building a little "journal" website, where users can type in daily thoughts in a private way. I'm currently storing ...
- 319
0
votes
0
answers
291
views
postgres : force local connection to use password without pg_hba.conf
an application with postgres database is installed in a personal pc of a person (os: windows), how to prevent this person from accessing the db directly (using pgAdmin)?
the database cluster is ...
- 41
0
votes
1
answer
670
views
How to link the two users so they can both view the same tables SQL*Plus
enter image description here]2]2I made my user with my tables etc. Then I created a new user with privileges but the tables are not there in the new user... how can I link the two users so both users ...
- 123
0
votes
1
answer
255
views
If I give a user table privileges do i need to give them a database role as well
I have a database and want to give out roles and privileges.
My aim is to allow multiple users - all have the same privileges - to be able to create, edit and view the tables (That's it).
I ...
- 123
0
votes
1
answer
102
views
How to add and improve security for Oracle 11g Database which is open open publicly? [closed]
I just inherited a legacy ERP system on my new job which has Oracle 11g database. ERP is based on Java and Oracle forms. It is so old that it needs IE to run and a specific JRE 8.121 requirement.
So ...
- 5
0
votes
1
answer
851
views
Clarification on Oracle DB Audit Configuration - Settings
I have read information regarding audit configuration of in Oracle 12c, however, looking for some clarification. Some information I read led to some confusion.
The audit config I am reviewing has ...
- 1
2
votes
1
answer
2k
views
2FA on phpmyadmin 4.8.4
I am trying to implement Two factor authentication (2FA) on phpmyadmin. Conifguration Storage has been setup and corresponding user has been created. However, when I go to Settings > Two Factor ...
- 36
1
vote
1
answer
1k
views
Best way to secure 3rd party api key in MongoDB
I have a specific use case in my application to store users 3rd party API Keys to retrieve data from those 3rd parties. It is a web application and I am using express as well as MongoDB for the ...
- 103
0
votes
1
answer
969
views
Global Audit Table in SQL Server
While looking at some tables in my schema, it occured to me if I could create a global audit table, which might contain some information on DML entries on all tables. I'd like to store 'Table name', '...
- 485
2
votes
2
answers
1k
views
msg: 6528, Assembly 'XYZCLRDatabase' could not be found in the SQL catalog for database 'XYZ'
I executed the following command to my database and it give me the message Commands completed successfully.
USE XYZ
GO
DECLARE @clrName nvarchar(4000) = 'XYZCLRDatabase, ...';
DECLARE @asmBin ...
- 2,056
3
votes
1
answer
570
views
The customer wants all data encrypted in database, how to make efficient queries fields are encrypted?
Nowadays some non-technical customers ask if all data is stored (and transferred) in encrypted form. They do not like the idea that only password is hashed.
What are the best practices, e.g. how to ...
- 6,781
0
votes
1
answer
345
views
View and table security conflict resolution
I have a SQL Server 2017 instance with 5 databases on it. A, B, C, D, E. Database A holds nothing but schemas and views. There is one schema for each of the subsequent databases on the instance (A, B, ...
- 460
0
votes
1
answer
4k
views
How to restrict access to users to a specific schema?
I am trying to grant users access to a specific schema. What this means is they will be able to access objects in a specific schema and create/alter/manage objects only in that specific schema.
have ...
- 442
2
votes
1
answer
8k
views
SQL Server Encryption via symmetric keys (AES_256)
I was reading about encryption in database (SQL Server) and came across an MS article(https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/encrypt-a-column-of-data?view=sql-...
- 7,630
2
votes
1
answer
3k
views
Row level security in Azure Cosmos DB
I have a cosmos db system with a user table. Now I'm develop a client app that connects to cosmos db directly by cosmos sdk (iOS).
I'd like to add a security layer to make sure a user can't access ...
- 10.2k
11
votes
2
answers
7k
views
Is it possible to get "NT AUTHORITY\NETWORK SERVICE" user independent of language?
I have encountered today a problem that I have never faced before.
I have developed an application that uses SQL Server database. That application has a Windows Service that accesses the database.
...
- 4,564
1
vote
1
answer
595
views
Securely store client database details
I'm adding functionality for regular exports of data from our databases to a clients database. Clients will supply database details which we need to keep secure. What would the best way of securely ...
- 1,973
1
vote
1
answer
192
views
Is it possible to add a layer on Firestore so the changes won't be committed directly?
As my title states, is it possible to add a new layer above a Cloud Firestore database, so all the changes that are made by users to be not committed directly in the database?
- 219
0
votes
0
answers
382
views
Is it overkill to encrypt an SSN before inserting into a database that is encrypted with TDE?
Our database is encrypted with TDE (Transparent Data Encryption). All the data in the database is encrypted. But when you access the database (e.g. SQL Server Management Studio) when logged in as an ...
- 139
1
vote
0
answers
390
views
Safely destroy (shred) MySQL database
I want to store sensitive data in a MySQL database for a while, so I'd like to know a way to delete a MySQL database without having a chance of recovery. In Linux, we have a tool named shred which ...
- 1,774
0
votes
0
answers
774
views
How to manage MySQL connections in a microservices architecture
I have the gist of how to connect to a MySQL server, however my dilemma is using passwords. Here are some of the things I am looking at.
Architecture will be 1 core service which as of right now will ...
- 621
2
votes
2
answers
245
views
Why hash passwords while the database is already compromised?
Although it seems like trivial that developers should hash the credentials before saving to a database, I can't understand why is this needed.
Passwords were invented to keep some users from seeing ...
