OLE DB Security Best Practices

It is recommended that you read the following sections before using Microsoft OLE DB. These topics discuss important security precautions for OLE DB 2.8 or later.

Setting Permissions for a Database

When users connect to an instance of Microsoft SQL Server, the activities they can perform are determined by the permissions granted to them. For an introduction to permission granting, read "Managing Permissions" in SQL Server Books Online or on MSDN. More security information for SQL Server can be found in "Managing Security" in SQL Server Books Online or on MSDN.

Consult related security information in the documentation of any other database you might be using.

Using OpenRowset

When using the OpenRowset command with the ODBC Provider(MSDASQL) or the Oracle Provider(Msdaora), a user could execute a SQL statement on a connected database. OpenRowset will execute a SQL statement that has been embedded in the command syntax. Two examples of this syntax are:

OpenRowSet on table named "sysobjects;insert into tablename values(6)"

and

OpenRowSet on table named "insert into tablename values(6)"

Using SQLOLEDB is recommend as an alternative to the ODBC Provider when OpenRowset is needed. SQLOLEDB would return DB_E_NOTABLE for the same statement issued with the ODBC Provider, and would not execute the SQL command. Setting database permissions will also prevent this type of statement from executing at the database. Read "Setting Permissions for a Database", above, for more information about permissions

See Also

Reference

IOpenRowset::OpenRowset

OLE DB Provider for ODBC

Concepts

OLE DB Provider for Oracle