如何在Oracle中没有where子句的情况下防止或避免运行更新删除语句

时间:2019-02-19 20:11:05

标签: sql oracle

在oracle中没有where子句的情况下如何防止或避免运行更新删除语句?请为此提供帮助

1 个答案:

答案 0 :(得分:1)

这似乎是错误的做法。最好将以下各项组合使用:

(A)撤消无法信任的人的访问 (B)通过PL / SQL层提供访问权限,这将限制用户进行预定义的操作 (C)如果发生某种灾难性的错误,请使用足够的UNDO来调整数据库大小以闪回。

但是,您可以使用细粒度的审核来进行所需的操作。基本上,如果当前SQL没有过滤器,则使审计处理程序出错。但这很容易上当。

这里是一个例子:

-- Create a table we want to protect
drop table matt1;
create table matt1 ( a number );
-- Put some data into it
insert into matt1 
select level from dual connect by rownum <= 100;

commit;

-- Create an audit handler that will protect our table from wide-open updates
-- or deletes    
CREATE OR REPLACE PACKAGE matt_table_protector_pkg AS
  PROCEDURE table_protector ( schema_name VARCHAR2, table_Name VARCHAR2, policy_name VARCHAR2 );
END matt_table_protector_pkg;
/    

CREATE OR REPLACE PACKAGE BODY matt_table_protector_pkg AS

  PROCEDURE table_protector ( schema_name VARCHAR2, table_Name VARCHAR2, policy_name VARCHAR2 ) IS
    l_filter_count NUMBER;
  BEGIN
     EXECUTE IMMEDIATE 'EXPLAIN PLAN FOR ' || SYS_CONTEXT('USERENV','CURRENT_SQL');

     select count(*)
     into l_filter_count
     from table(dbms_xplan.display(format=>'PREDICATE'))
     where plan_table_output like '% - filter(%'
     and plan_table_output not like '%SYS_AUDIT(%';

     IF l_filter_count = 0 THEN
       raise_application_error(-20001, 'Unrestricted DML is not allowed on this table.');
     END IF;
  END;

END matt_table_protector_pkg;
/

接下来,我们创建一个细粒度的审核策略,以确保在表上有更新或删除时调用我们的包。 

--EXEC DBMS_FGA.drop_policy (object_schema => user, object_name => 'MATT1', policy_name => 'PROTECT_MATT1');

EXEC DBMS_FGA.add_policy (object_schema     => user, object_name => 'MATT1', policy_name       => 'PROTECT_MATT1', audit_condition   => null, audit_column      => NULL, handler_schema    => user, handler_module    => 'MATT_TABLE_PROTECTOR_PKG.TABLE_PROTECTOR', enable            => TRUE, statement_types => 'UPDATE, DELETE');

就是这样。您现在大部分都受到了保护。

select * from matt1;

100 rows selected

delete from matt1 where a = 7;

1 row deleted

delete from matt1;

ORA-28144: Failed to execute fine-grained audit handler
ORA-20001: Unrestricted DML is not allowed on this table.
ORA-06512: at "APPS.MATT_TABLE_PROTECTOR_PKG", line 15
ORA-06512: at line 1

由于Oracle足够聪明,可以优化很多重言式,因此您也可以免受如下语句的攻击:

delete from matt1 where 1=1;


delete from matt1 where 1<2;

但是仍然很容易愚弄。例如,此语句将起作用。

delete from matt1 where sysdate is not null
相关问题
最新问题