database-security | 易学教程

Firebase/Firestore - database has insecure rules?

阅读更多关于 Firebase/Firestore - database has insecure rules?

问题 I have a SwiftUI application, which uses Firebase as a back end, and my rules are something like this: rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { // This rule allows anyone on the internet to view, edit, and delete // all data in your Firestore database. It is useful for getting // started, but it is configured to expire after 30 days because it // leaves your app open to attackers. At that time, all client // requests to your Firestore database

SQL Server 2008 - Does a trigger run with the same permissions as the login/user?

阅读更多关于 SQL Server 2008 - Does a trigger run with the same permissions as the login/user?

问题 Just a quick question: Say I put an insert trigger on a table in my database. If data is inserted into that table through a login/user "foobar". Does the trigger execute with the same access rights / permissions as "foobar"? Many thanks. 回答1: Yes. You can control this behaviour with the EXECUTE AS clause of the create statement, as explained here. The default for triggers is EXECUTE AS CALLER where we find CALLER Specifies the statements inside the module are executed in the context of the

Change PostgreSQL password encryption from MD5 to SHA

阅读更多关于 Change PostgreSQL password encryption from MD5 to SHA

问题 Is there a way to change the PostgreSQL password encryption method from MD5 to SHA? If Yes, can you please tell me how? I am using PostgreSQL 9.5 回答1: Pg 10 With PostgreSQL 10, you can set password_encryption to scram-sha-256 . From the docs When a password is specified in CREATE ROLE or ALTER ROLE without writing either ENCRYPTED or UNENCRYPTED , this parameter determines whether the password is to be encrypted. The default value is md5, which stores the password as an MD5 hash. Setting this

Is PDO … SET NAMES utf8 dangerous?

阅读更多关于 Is PDO … SET NAMES utf8 dangerous?

问题 Looking at here: http://www.php.net/manual/en/mysqlinfo.concepts.charset.php I understand that using SET NAMES utf8 is not a good idea, but it is not clear: What is the issue? How to avoid it? Which is actually the solution to set the charset for a (or all) PDO connection(s) in a PHP 3.6 or higher? The code I'm afraid is dangerous: $this->_conn = new PDO('mysql:host=host.name.blabla;dbname=my_database_name','username', 'password',array( PDO::ATTR_PERSISTENT => true, PDO::ATTR_ERRMODE => PDO:

Access 2010 allowing multiple users/ Implementing group security

阅读更多关于 Access 2010 allowing multiple users/ Implementing group security

问题 I'm creating an Access 2010 database and would like some clarification when it comes to concurrency and security. What I would like is upon starting the app only a menu form to be displayed with several buttons including a login button. Most buttons would be disabled until after the user logs in at which point based on their permission group; Viewer(Deafault), Worker, Editor, Admin. Also, Admin should be the only one to be able to see the access database while the others are restricted to

How to separate a person's identity from his personal data?

阅读更多关于 How to separate a person's identity from his personal data?

问题 I'm writing an app which main purpose is to keep list of users purchases. I would like to ensure that even I as a developer (or anyone with full access to the database) could not figure out how much money a particular person has spent or what he has bought. I initially came up with the following scheme: --------------+------------+----------- user_hash | item | price --------------+------------+----------- a45cd654fe810 | Strip club | 400.00 a45cd654fe810 | Ferrari | 1510800.00 54da2241211c2

Limit Database List to Ones With Permission SQL Server

阅读更多关于 Limit Database List to Ones With Permission SQL Server

问题 By default if you connect to a remote SQL Server via an account that has access to say 1 of the 10 databases. You will still see in the Object Explorer all other databases, obviously due to permissions you cannot actually query them, but you can see their names. I have heard that there is a method that disable this behavior, but I've been unable to find the answer, does anyone know how to do this? To give an example I have a SQL Server called MyDbServer, it has 4 databases, MyDatabase

Limit Database List to Ones With Permission SQL Server

阅读更多关于 Limit Database List to Ones With Permission SQL Server

By default if you connect to a remote SQL Server via an account that has access to say 1 of the 10 databases. You will still see in the Object Explorer all other databases, obviously due to permissions you cannot actually query them, but you can see their names. I have heard that there is a method that disable this behavior, but I've been unable to find the answer, does anyone know how to do this? To give an example I have a SQL Server called MyDbServer, it has 4 databases, MyDatabase YourDatabse PrivateDatabase ReallyPrivateDb If you connect via an account that only has permissions to

SQL Server 2008 - Does a trigger run with the same permissions as the login/user?

阅读更多关于 SQL Server 2008 - Does a trigger run with the same permissions as the login/user?

Just a quick question: Say I put an insert trigger on a table in my database. If data is inserted into that table through a login/user "foobar". Does the trigger execute with the same access rights / permissions as "foobar"? Many thanks. Yes. You can control this behaviour with the EXECUTE AS clause of the create statement, as explained here . The default for triggers is EXECUTE AS CALLER where we find CALLER Specifies the statements inside the module are executed in the context of the caller of the module. The user executing the module must have appropriate permissions not only on the module

How to separate a person's identity from his personal data?

阅读更多关于 How to separate a person's identity from his personal data?

I'm writing an app which main purpose is to keep list of users purchases. I would like to ensure that even I as a developer (or anyone with full access to the database) could not figure out how much money a particular person has spent or what he has bought. I initially came up with the following scheme: --------------+------------+----------- user_hash | item | price --------------+------------+----------- a45cd654fe810 | Strip club | 400.00 a45cd654fe810 | Ferrari | 1510800.00 54da2241211c2 | Beer | 5.00 54da2241211c2 | iPhone | 399.00 User logs in with username and password. From the