|
In our environment the profile that uses ODBC is authorised to the
stored procedures and only to the SPs.
The database is owned by a separate profile.
The stored procedures are external LANGUAGE RPGLE.
The RPGLE programs are OWNER(database) USRPRF(*OWNER)
The underlying table/views are PUBLIC(*EXCLUDE).
With this design, no end user can directly read or write to the
database; they need to go through the stored procedures.
Assuming an attack that compromises the web server, those procedure
names, parameter lists, and data flows would become known to the
attacker, allowing an injection attack to be launched from the
compromised, but still authorised, web server
this attack surface is the same whether the underlying communication
between the web/front end and the database/back end is stored
procedures or a web service.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.