Oracle触发器禁用从toad直接更新和删除

时间:2017-05-19 09:31:50

标签: oracle security plsql

我有一个带有存储过程的Oracle数据库。现在我只需要通过存储过程插入,更新和删除,并防止从toad直接插入,更新和删除

1 个答案:

答案 0 :(得分:1)

似乎您想将表上的DML限制为一组定义的已分配过程。让我们采用允许DML操作的简化假设,无论程序如何被调用,但仅在调用过程时。以下是这样做的框架。 

Create a package that: 
  1. Define in the SPEC the DML routines. 
  2. Define in the SPEC a function that returns a value indicating whether the DML in allowed or not.
  3. Create in the BODY the DML procedures and the DML Validation function.
  4. Define in the BODY a package level control variable indicating DML Allowed or not.
  5. In the DML routines set he DML Allowed variable to allow the operation.
  7. In the DML routines always set the DML control variable to disallow the operation completes AND when any exception occurs.
  8. (optional) Define in the SPEC a user defined error number and message. 

Create a trigger which validates the control variable and throws exception if it's not allowed.

Skeleton For above:假设表名=> 'My_Special_Table'

Create or Replace package My_Special_Table_DML as 
  Invalid_DML_Requested_num constant number := -20199; --Used define Error
  Invalid_DML_Requested_msg constant varchar2(80) :=
          'DML on My_Special_Table only allowed through DML routines in Package';

  Function  Is_DML_Allowed return boolean ;
  Procedure Delete_My_Special_Table (*parameter list as needed*);
  Procedure Update_My_Special_Table (*parameter list as needed)*;
  Procedure Insert_My_Special_Table (*parameter list as needed*);
end My_Special_Table_DML; 

Create or Replace package My_Special_Table_DML BODY as 
  DML_OK    boolean := false;      -- do not allow DML opperation 

  Function Is_DML_allowed return boolean is
  begin 
     return DML_OK; 
  end Is_DML_Valid ; 

  Procedure Delete_My_Special_Table (*parameter list as needed*) is
  -- declare local variables
  Begin 
      DML_OK := true ;
      ... other code as needed 

      Delete from My_Special_Table .... 

      DML_OK := false ; 
  exception 
     when <expected errors> 
          then
              DML_OK := false; 
              <code to handle expected errors>
     when others 
          then 
              DML_OK := false. 
              raise ;
  end Delete_My_Special_Table;

  -- *Code for Update and Insert similar to above Delete.*

end My_Special_Table;

Create or Replace Trigger My_Special_Table_DML_BIUD
    before insert or update or delete on My_Special_Table
is
begin 
    if not(My_Special_Table_DML.Is_DML_Alloewd)
    then 
        raise_application_error(Invalid_DML_Requested_num,
                               ,Invalid_DML_Requested_msg
                               ); 
    end if; 
end My_Special_Table_DML_BIUD;

我会留给你弄清楚这个的逻辑以及它为什么起作用。 但请注意APC的问题:“如果有人从TOAD运行程序会发生什么”。在这种情况下,DML将被允许来自任何数据库连接,其中用户对包具有执行权限。包括但不限于TOAD。

相关问题
最新问题