On Monday 25 September 2006 07:45, Peter Machell wrote: > > How do you restrict access to the main patient db but still allow > > web access > > the the appointments ? > > Seems scarey to me. > > Nah, with any SQL you can: > > grant select,update on database.appointments to [EMAIL PROTECTED] > identified by 'password'; > > without giving any access to other tables. This is MySQL syntax but > you can do it with any modern database.
Let's say you write sloppy software. You don't parse user input, and become victim of an SQL injection attack or some such. A few more problems and the intruder may escalate privileges to a degree high enough to compromise confidentiality. Not a good idea relying solely on iser identification to the database server. Horst _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
