Mailing List Archive


Back to the month index Back to the list index
Andy Mitchell (afm@biotech.ufl.edu)
Wed, 30 Apr 1997 10:47:17 -0500 

Message-Id: <199704301547.KAA02229@snarl.biotech.ufl.edu>
Subject: Re: [mSQL] Help with acl - please 
Date: Wed, 30 Apr 1997 10:47:17 -0500
From: Andy Mitchell <afm@biotech.ufl.edu>

+-- "Bill Krueger" <r2d2@koyote.com>, wrote:
|
| In your insert statement, you INSERT INTO foo, which is the name of your
| database. You must insert into tables only. first create a table, then
| insert values into it.

Thanks for advice Bill, but I still have the same problem.

1.) Yes, you are right, I inserted into the database instead ofthe
table. BUT IT STILL WORKED - so what kind of security is that????

2.) I tried my example again inserting and updating to a *table*
in a database to which I should have had read access but not write
access and the behaviour is the same: insert fails, update succeeds.

3.) I've received examples from others that duplicate my problem.

Don't get me wrong, I think mSQL is great,and this isn't really a
huge problem for me,since all my mSQL stuff sits behind a secure
web server and there are no login accounts on the mSQL/Web server
machine and I can do all the authentication necessary in my CGI
source code (actually, I just snagged most of bambi's code for
tokenizing the msql.acl file and do the priv's check in my own
code). But, I sure would like to know what is going onhere??

Can anyone with influence duplicate this problem? Is it a bug
or am I just an idiot? (Or both ? ;-)

Cheers,
        Andy

--------------------------------------------------------------------------
To remove yourself from the Mini SQL mailing list send a message containing
"unsubscribe" to "unsubscribe" to msql-list-request@bunyip.com. Send a message containing
"info msql-list" to majordomo@bunyip.com for info on monthly archives of
the list. For more help, mail owner-msql-list@bunyip.com NOT the msql-list!