Forbid user to use certain SQL statements?

[MiditecReportDev]

Hi,

 

just wanted to ask if it is in any way possible to forbid the guy who builds the reports to use certain sql statements such as insert, update or delete?

As far as I can see a report tool such as Jasper should have some tools for that as normal reports in my/our eyes should be read-only oO It is kind of unsafe to allow that, especially when the guy who builds the report (theoretical scenario) may get fired, knows it and inserts a delete statement for a crucial database table into a report without anyone being abtle to stop this.

[hozawa]

I think database permission should be set in the database's user permission.

e.g. DENY DELETE ON tablename
https://msdn.microsoft.com/en-us/library/ms173724.aspx

 

[javier.ggi90]

I agree with @hozawa. But also, you should set up a development database and back it up if you are worried about it. This also prevents the developer from looking at sensitive information, if there is any.

[MiditecReportDev]

The development is not a problem, we have development databases^^ So deleting from there or looking at data is no problem at all.

Problem is that you can easily give reports to customers that will delete all their data as long as you know at least one table name, which you do since they'll need to tell you for select statements anyways.

Kind of unsecure in my opinion, but we'll solve this differently now.

[ghudson_1]

Since 4.5, Jasper Reports Server has built-in security validation which uses regex to prohibit things like delete statements within SQL queries   (other sql injection):

http://community.jaspersoft.com/wiki/jaspersoft-security-changes-and-configuration

Of course this is JRS, not the development tools like Studio.