在“深入《daxia123 网站木马” 来自微软专家的SQL注入防范方法》文章里,我深入了解了自微软专家的SQL注入防范方法,为了确保使用数据库的Web应用程序最少访问权限。我可以批量修改表和存储过程的所有者,然后通过控制所有者的权限来实现SQL安全配置,下面是批量修改表和存储过程的所有者的方法:
以下user代表新的所有者
1、更新数据表所有者
批量方法:EXEC sp_MSforeachtable 'exec sp_changeobjectowner ''?'',''user'' '
单个方法:exec sp_changeobjectowner 'city','user' --city表名
2、更新存储过程所有者
CREATE PROCEDURE ChangeProcOwner
@OldOwner as NVARCHAR(128),--参数原所有者
@NewOwner as NVARCHAR(128)--参数新所有者
AS
DECLARE @Name as NVARCHAR(128)
DECLARE @Owner as NVARCHAR(128)
DECLARE @OwnerName as NVARCHAR(128)
DECLARE curObject CURSOR FOR
select 'Name' = name,
'Owner' = user_name(uid)
from sysobjects
where user_name(uid)=@OldOwner and xtype='p'
order by name
OPEN curObject
FETCH NEXT FROM curObject INTO @Name, @Owner
WHILE(@@FETCH_STATUS=0)
BEGIN
if @Owner=@OldOwner
begin
set @OwnerName = @OldOwner + '.' + rtrim(@Name)
exec sp_changeobjectowner @OwnerName, @NewOwner
end
FETCH NEXT FROM curObject INTO @Name, @Owner
END
close curObject
deallocate curObject
GO
执行方法:
exec ChangeProcOwner 'dbo','user'
或者
exec ChangeProcOwner '?','user'