Frank Millman wrote: > Steven D'Aprano wrote: > >>On Mon, 12 Sep 2005 08:33:10 -0700, Frank Millman wrote: >> >>>My problem is that, if someone has access to the network and to a >>>Python interpreter, they can get hold of a copy of my program and use >>>it to knock up their own client program that makes a connection to the >>>database. They can then execute any arbitrary SQL command. >> >>Why is that your problem, instead of the company's problem? It is their >>database server, yes? If they want to connect to it and execute arbitrary >>SQL commands on their own database, (1) who are you to tell them they >>can't? and (2) they hardly need your program to do it. >> >>-- >>Steven > > If they choose to give the userid and password to an individual, they > are obviously giving him permission to execute any command. > > On the other hand, they can reasonably expect to set up users without > giving them direct access to the database, in which case I think they > would be upset if the users found this restriction easy to bypass.
Certainly, but that access control *shouldn't happen in the client* whether the source is visible or not. -- Robert Kern [EMAIL PROTECTED] "In the fields of hell where the grass grows high Are the graves of dreams allowed to die." -- Richard Harter -- http://mail.python.org/mailman/listinfo/python-list
