Re: sp_OACreate

From: Purple-Man@xxxxxxxxxxx
Date: 11 Aug 2005 11:56:39 -0700

I am confused. Why would MSDN recommend we wrap them in a wrapper
stored procedure if we still need SA privileges to execute the
underlying extendible stored procedures? Their article implies that if
you are granted execute privileges to the wrapper, you should be OK.
Here is an excerpt from that document:

There are a few T-SQL commands and extensions that present their own
unique security concerns. One of these is sp_OACreate and its related
family of system procedures (e.g., sp_OAMethod, sp_OAProperty, etc.).
Earlier, we looked at a potential security problem that would be
created by granting an application login direct access to these
procedures. To avoid this problem, never write application code that
directly calls the sp_OA procedures. Instead, wrap all references to
these procedures in your own T-SQL stored procedures, and only grant
access to these wrapper stored procedures. Also, do not allow the
application code to pass in the names of COM objects or methods as
strings that are blindly invoked by the wrapper procedure.

Thank you.

.

References:
- sp_OACreate
  - From: Purple-Man
- Re: sp_OACreate
  - From: Ilya Margolin

Prev by Date: Re: sp_OACreate
Next by Date: Re: DTS and VB Script Crash Course....HELP!!!
Previous by thread: Re: sp_OACreate
Next by thread: DTS to write to UDB
Index(es):
- Date
- Thread

Relevant Pages

Re: sp_OACreate
... you are granted execute privileges to the wrapper, ... these procedures in your own T-SQL stored procedures, ...
(microsoft.public.sqlserver.dts)
Re: Calling stored procedures like any other function
... I use stored procedures pretty much exclusively. ... Its pretty much automatic and it has saved programmers a lot of time. ... much was that codesmith can read the datatypes, parameters, and resultset ... The WMS672 thing is the stored procedure wrapper. ...
(microsoft.public.dotnet.framework.adonet)
Extreme performance issues (SQL Server 2000/ADO.NET/C#)
... same exact stored procedures and views, run in the same exact order, through ... system that runs SQL Server (a 4-cpu Xeons system with 2gigs of physical ... When I execute these steps manually through query analyser,, ...
(microsoft.public.sqlserver.server)
Sybase, JDBC, AutoCommit, DDL IN TRAN
... having executing Sysbase stored procedures via JDBC. ... stored procedure which contains DDL and with AutoCommit set to false I ... The explanation for this behaviour I have found is that the JDBC ... I need to be able to set AutoCommit to false and execute multiple ...
(comp.lang.java.databases)
Re: Records lost in an ADOStoredProc
... Use a thread to fire off the stored procedures so that your application ... Let's suppose it updates ... > the CacheSize is set to 1; it is worse when I increase the CacheSize. ... > I don't need to show records, only to execute the store procedure. ...
(borland.public.delphi.database.ado)