Row Level Security And Virtual Private Database - 1485 Words

Row Level Security/ Virtual Private Database Row level security is important in this application because data related to many different users are stored in the database. It would be wasteful to assign each student to their own database, hence the need of a centralized database , but we cannot give full access to the data by the student. Consider an instance where a student should only be able to view or modify the rows of data that matters specifically to him. We can achieve this through creating a row level security or virtual private database. VPD enables the developer to enforce security, directly on tables, views or synonyms. It provides row level access control beyond that of views, since it uses all the data manipulation languages†¦show more content†¦VPD can be implemented using stored procedures CREATE OR REPLACE FUNCTION specific_users ( p_schema IN VARCHAR2 DEFAULT NULL, p_object IN VARCHAR2 DEFAULT NULL ) RETURN VARCHAR2 AS BEGIN RETURN project_name = v( APP_USER ) ; END specific_users; / SQL INJECTION The user can influence the SQL code, this is usually as a result of the developer not properly using the right code. The user with some knowledge of SQL will like to put in some values in the form to try and query a database, this might select information from APEX application item, find items, and learn about the application and then can hack the app easily, or execute any DDL command that will alter the database objects. Situation where the SQL statement is concatenated by substitution strings and static portion of the query, such that the user provides the values. A section of PL/SQL that is susceptible to SQL injection l_sql := SELECT *FROM project WHERE project_name = ||p_project_name|| ; When a user enters any valid name in the database report, but not the right data, the database only ensures that the statement is syntactically correct , and parses it. Some records can be obtained instead of the required one. Solution to this attack is to use a bind variable, these are evaluated during the bind phase of processing a query, the SQL will be