database-security

Firebase/Firestore - database has insecure rules?

独自空忆成欢 提交于 2021-01-29 18:20:18
问题 I have a SwiftUI application, which uses Firebase as a back end, and my rules are something like this: rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { // This rule allows anyone on the internet to view, edit, and delete // all data in your Firestore database. It is useful for getting // started, but it is configured to expire after 30 days because it // leaves your app open to attackers. At that time, all client // requests to your Firestore database

SQL Server 2008 - Does a trigger run with the same permissions as the login/user?

不想你离开。 提交于 2020-01-13 09:04:14
问题 Just a quick question: Say I put an insert trigger on a table in my database. If data is inserted into that table through a login/user "foobar". Does the trigger execute with the same access rights / permissions as "foobar"? Many thanks. 回答1: Yes. You can control this behaviour with the EXECUTE AS clause of the create statement, as explained here. The default for triggers is EXECUTE AS CALLER where we find CALLER Specifies the statements inside the module are executed in the context of the

Change PostgreSQL password encryption from MD5 to SHA

雨燕双飞 提交于 2019-12-12 13:08:27
问题 Is there a way to change the PostgreSQL password encryption method from MD5 to SHA? If Yes, can you please tell me how? I am using PostgreSQL 9.5 回答1: Pg 10 With PostgreSQL 10, you can set password_encryption to scram-sha-256 . From the docs When a password is specified in CREATE ROLE or ALTER ROLE without writing either ENCRYPTED or UNENCRYPTED , this parameter determines whether the password is to be encrypted. The default value is md5, which stores the password as an MD5 hash. Setting this

Is PDO … SET NAMES utf8 dangerous?

和自甴很熟 提交于 2019-12-11 04:28:27
问题 Looking at here: http://www.php.net/manual/en/mysqlinfo.concepts.charset.php I understand that using SET NAMES utf8 is not a good idea, but it is not clear: What is the issue? How to avoid it? Which is actually the solution to set the charset for a (or all) PDO connection(s) in a PHP 3.6 or higher? The code I'm afraid is dangerous: $this->_conn = new PDO('mysql:host=host.name.blabla;dbname=my_database_name','username', 'password',array( PDO::ATTR_PERSISTENT => true, PDO::ATTR_ERRMODE => PDO:

Access 2010 allowing multiple users/ Implementing group security

别等时光非礼了梦想. 提交于 2019-12-10 14:48:20
问题 I'm creating an Access 2010 database and would like some clarification when it comes to concurrency and security. What I would like is upon starting the app only a menu form to be displayed with several buttons including a login button. Most buttons would be disabled until after the user logs in at which point based on their permission group; Viewer(Deafault), Worker, Editor, Admin. Also, Admin should be the only one to be able to see the access database while the others are restricted to

How to separate a person's identity from his personal data?

佐手、 提交于 2019-12-09 06:22:28
问题 I'm writing an app which main purpose is to keep list of users purchases. I would like to ensure that even I as a developer (or anyone with full access to the database) could not figure out how much money a particular person has spent or what he has bought. I initially came up with the following scheme: --------------+------------+----------- user_hash | item | price --------------+------------+----------- a45cd654fe810 | Strip club | 400.00 a45cd654fe810 | Ferrari | 1510800.00 54da2241211c2

Limit Database List to Ones With Permission SQL Server

帅比萌擦擦* 提交于 2019-12-07 10:28:01
问题 By default if you connect to a remote SQL Server via an account that has access to say 1 of the 10 databases. You will still see in the Object Explorer all other databases, obviously due to permissions you cannot actually query them, but you can see their names. I have heard that there is a method that disable this behavior, but I've been unable to find the answer, does anyone know how to do this? To give an example I have a SQL Server called MyDbServer, it has 4 databases, MyDatabase

Limit Database List to Ones With Permission SQL Server

生来就可爱ヽ(ⅴ<●) 提交于 2019-12-05 17:47:05
By default if you connect to a remote SQL Server via an account that has access to say 1 of the 10 databases. You will still see in the Object Explorer all other databases, obviously due to permissions you cannot actually query them, but you can see their names. I have heard that there is a method that disable this behavior, but I've been unable to find the answer, does anyone know how to do this? To give an example I have a SQL Server called MyDbServer, it has 4 databases, MyDatabase YourDatabse PrivateDatabase ReallyPrivateDb If you connect via an account that only has permissions to

SQL Server 2008 - Does a trigger run with the same permissions as the login/user?

纵饮孤独 提交于 2019-12-05 06:30:33
Just a quick question: Say I put an insert trigger on a table in my database. If data is inserted into that table through a login/user "foobar". Does the trigger execute with the same access rights / permissions as "foobar"? Many thanks. Yes. You can control this behaviour with the EXECUTE AS clause of the create statement, as explained here . The default for triggers is EXECUTE AS CALLER where we find CALLER Specifies the statements inside the module are executed in the context of the caller of the module. The user executing the module must have appropriate permissions not only on the module

How to separate a person's identity from his personal data?

我们两清 提交于 2019-12-03 08:53:47
I'm writing an app which main purpose is to keep list of users purchases. I would like to ensure that even I as a developer (or anyone with full access to the database) could not figure out how much money a particular person has spent or what he has bought. I initially came up with the following scheme: --------------+------------+----------- user_hash | item | price --------------+------------+----------- a45cd654fe810 | Strip club | 400.00 a45cd654fe810 | Ferrari | 1510800.00 54da2241211c2 | Beer | 5.00 54da2241211c2 | iPhone | 399.00 User logs in with username and password. From the