We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

View Complete Thread
  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 11:09 AM|greenlit_design|LINK

    Hi, A Sys Admin account in MS SQL give you access to all databases and gives you all privileges. So basically you don't need any other rights. I'm not sure if a Windows Admin account has admin right in MS SQL. I believe you need to add the Windows Account to MS SQL and grant that account proper permissions. If you were able to create a new sql login with SysAdmin privileges, then you probably had SysAdmin. Each database has a "permission admin" role which allow a sql user to grant permission. Remember, a sql login grant access at the database level (except for server roles like sysAdmin). You need to grant that sql login access to each database you want that sql login to access to. If you grant DBO rigth to a sql login to a database, that sql login becomes a user in the database. DBO rights is the highest level in a database (not database server). So you'll get creater, alter, grant, select etc... for all DB objects (view, stored proc, etc...). Security in MS SQL can get complicated. That's why it's important to involve a DBA when you're not sure. People tend to grant DBO rights because it's the easiest way. You then pay the price later. Luckily the script did not try to create tables, stored proc... Dont hesitate if you have questions


     Ok I think i got it working (for one site anyway, others should be simple now). I ended up creating a new admin login for myself and then using that to go into the SQL management so i knew i had full admin rights. I made sure I gave myself permissions for all the sites I need to change and then ran the code and it worked without error.

    I then made sure it worked and does deny access by running this using the web back end of the site (which uses the ASP user account for this site):

    SELECT * from sysobjects

    Previously this returned full results, now it returns nothing - so that seems to be job done as far as this part goes.

    Thanks eftennis and davidreabow for your comments, these helped me greatly.


    Sql injection filter MS SQL security sql login