問題描述
LINQ 和數據庫權限 (LINQ and Database Permissions)
我仍在嘗試了解 LINQ 並訪問 SQL 數據庫。
我總是被教導,你應該只對你的數據擁有存儲過程的執行權限。
您永遠不應該選擇/插入/更新/刪除。
(這是因為性能和安全性)
要從 LINQ 中獲取數據,您顯然需要選擇權限。我知道你可以將存儲過程與 LINQ 一起使用,但既然我不能加入,那有什麼意義呢?
我錯過了什麼嗎???
參考解法
方法 1:
1) We're programmers, not DBA fascists. If your requirements state that the database must be locked down 100%, Linq is not for you. I'm not a DBA, so I believe that most of the performance/security hype is just that. Linq is for me.
2) You can do joins with linq.
@Philippe: Linq automatically transforms evaluations into query parameters, so it provides some sql injection protection. However, you still have to closely evaluate your requirements to determine how much security you need and at what levels. Linq makes dealing with the database much easier, but it makes it easier to put secuirty design on the back burner, which is a bad thing.
方法 2:
I'm very much in agreement with Jeff Atwood on the "Stored Procedures vs. Inline SQL/LINQ" issue: Who Needs Stored Procedures, Anyways?.
I'm confused as to why you'd even want to perform a JOIN if you're in the SPROCs‑for‑everything crowd; shouldn't you wrap that JOIN up into another SPROC?
As Will said, LINQ wasn't designed for the kind of DB use you're talking about; it was designed to give us statically‑typed inline SQL. You could, however, still control access through user permissions if you use LINQ to SQL.
方法 3:
Well, for security reasons you should not input any user entered data into queries. If you stick with this rule, I don't see the problem of having select permission.
方法 4:
Whether all of your database access is "behind" stored procedures depends on the needs of the application and the company. I have implemented systems that use views to get all data and stored procedures for all updates. This allows for centralized security and database logic while still letting front‑end developers use SQL queries where appropriate.
Like so many other things in programming ‑ it depends on the needs for your project.
LinqToSql does support stored procedures. Scott Gu has a post on it:
(by Christian Payne、user1228、Chris Zwiryk、Philippe、Peter)