In previous customer consultation cases, many customer applications directly used SA accounts to connect to SQL Server. If the database management is a little stricter, the application should not be given this kind of permission. Usually the application only needs to perform additions, deletions, modifications, and queries, but rarely DDL operations. Therefore, the principle of "least privilege allocation" should be followed when configuring accounts. Grant the required permissions.
For applications, the minimum permissions are usually given to read permissions, write permissions and execute stored procedure permissions. In order to prevent database information leakage caused by SQL injection, you also need to consider denying the account permission to view definitions. However, it is worth noting that if the permission to view definitions is denied, Bulk Insert will fail. The complete permission definition is as follows:
ALTER ROLE [db_datareader] ADD MEMBER 用户名 ALTER ROLE [db_datawriter] ADD MEMBER 用户名 grant execute to 用户名 deny view definition to 用户名
In SQL Server, the instance level is the login name, while the database level is the user name. The login name can be mapped to a specific library after creation. Therefore, I wrote a complete script to create login names, users, and grant corresponding permissions. The script is as follows:
--创建用户的存储过程, --示例EXEC sp_CreateUser 'UserName','rw','DatabaseName' --EXEC sp_CreateUser 'tesefx','r','Test','0xE39CA97EBE03BB4CA5FF78E50374EEBB' CREATE PROC sp_CreateUser @loginName VARCHAR(50) , @IsWrite VarCHAR(3) , @DatabaseName VARCHAR(50), @Sid VARCHAR(100) ='1' AS PRINT('示例:EXEC sp_CreateUser ''UserName'',''rw'',''DatabaseName''') PRINT('示例:EXEC sp_CreateUser ''UserName'',''rwv'',''DatabaseName'',''0xE39CA97EBE03BB4CA5FF78E50374EEBB''') PRINT('r为只读权限,rw为读写权限,rwv为读写加View Definition权限') IF EXISTS ( SELECT name FROM sys.syslogins WHERE name = @loginName ) BEGIN PRINT N'登录名已存在,跳过创建登录名步骤' END ELSE BEGIN DECLARE @CreateLogin NVARCHAR(1000) DECLARE @pwd VARCHAR(50) PRINT @Sid SET @pwd=NEWID() IF(@sid='1') BEGIN SET @CreateLogin = 'CREATE LOGIN [' + @loginName + '] WITH PASSWORD=N''' + @Pwd + ''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF;' PRINT N'登录名已创建,密码为:'+@pwd END ELSE BEGIN SET @CreateLogin = 'CREATE LOGIN [' + @loginName + '] WITH PASSWORD=N''' + @Pwd + ''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF,sid='+@Sid+';' PRINT N'已经使用SID创建登录名:'+@loginName END EXEC (@CreateLogin) --DECLARE @sidtemp NVARCHAR(50) --SELECT @sidtemp=sid FROM sys.server_principals WHERE name=@loginName --PRINT(N'登录名为:'+@loginName+N' SID为: 0x'+CONVERT(VARCHAR(50), @sidtemp, 2) ) END DECLARE @DynamicSQL NVARCHAR(1000) --切换数据库上下文 SET @DynamicSQL = N'Use [' + @DatabaseName + ']; ' + 'IF EXISTS(SELECT name FROM sys.database_principals WHERE name='''+@loginName+''') Begin Print(''用户名已存在,跳过创建用户名的步骤'') end else begin CREATE USER [' + @loginName + '] FOR LOGIN ' + @loginName + ' end;IF (''' + @IsWrite + '''=''rw'' or ''' + @IsWrite + '''=''rwv'') BEGIN ALTER ROLE [db_datareader] ADD MEMBER ' + @loginName + ';ALTER ROLE [db_datawriter] ADD MEMBER ' + @loginName + '; END ELSE BEGIN ALTER ROLE [db_datareader] ADD MEMBER ' + @loginName + '; ALTER ROLE db_datawriter DROP MEMBER ' + @loginName + ' ;End;grant execute to ' + @loginName + '; if('''+@IsWrite+'''<>''rwv'') begin deny view definition to ' + @loginName + '; end else begin grant view definition to ' + @loginName + '; end' EXEC (@DynamicSQL)
This stored procedure is used to create the login name, user, and corresponding permissions required for the application to connect to SQL Server. This step will be skipped when the user or login name exists. An example of using this stored procedure is:
EXEC sp_CreateUser 'UserName','rw','DatabaseNam' EXEC sp_CreateUser 'tesefx','r','Test','0xE39CA97EBE03BB4CA5FF78E50374EEBB'
The first line of the above execution is to create a standard account, the account name UserName, and give it read and write access to the DatabaseNam library permissions and returns the generated GUID password. The second stored procedure uses the fourth parameter sid to create a login name. Since in AlwaysOn or mirroring environments, the login names at both ends need to have the same SID, a method is provided to create a login name using SID in this case.
Adding Users to MySQL: The Complete TutorialMay 12, 2025 am 12:14 AMMastering the method of adding MySQL users is crucial for database administrators and developers because it ensures the security and access control of the database. 1) Create a new user using the CREATEUSER command, 2) Assign permissions through the GRANT command, 3) Use FLUSHPRIVILEGES to ensure permissions take effect, 4) Regularly audit and clean user accounts to maintain performance and security.
Mastering MySQL String Data Types: VARCHAR vs. TEXT vs. CHARMay 12, 2025 am 12:12 AMChooseCHARforfixed-lengthdata,VARCHARforvariable-lengthdata,andTEXTforlargetextfields.1)CHARisefficientforconsistent-lengthdatalikecodes.2)VARCHARsuitsvariable-lengthdatalikenames,balancingflexibilityandperformance.3)TEXTisidealforlargetextslikeartic
MySQL: String Data Types and Indexing: Best PracticesMay 12, 2025 am 12:11 AMBest practices for handling string data types and indexes in MySQL include: 1) Selecting the appropriate string type, such as CHAR for fixed length, VARCHAR for variable length, and TEXT for large text; 2) Be cautious in indexing, avoid over-indexing, and create indexes for common queries; 3) Use prefix indexes and full-text indexes to optimize long string searches; 4) Regularly monitor and optimize indexes to keep indexes small and efficient. Through these methods, we can balance read and write performance and improve database efficiency.
MySQL: How to Add a User RemotelyMay 12, 2025 am 12:10 AMToaddauserremotelytoMySQL,followthesesteps:1)ConnecttoMySQLasroot,2)Createanewuserwithremoteaccess,3)Grantnecessaryprivileges,and4)Flushprivileges.BecautiousofsecurityrisksbylimitingprivilegesandaccesstospecificIPs,ensuringstrongpasswords,andmonitori
The Ultimate Guide to MySQL String Data Types: Efficient Data StorageMay 12, 2025 am 12:05 AMTostorestringsefficientlyinMySQL,choosetherightdatatypebasedonyourneeds:1)UseCHARforfixed-lengthstringslikecountrycodes.2)UseVARCHARforvariable-lengthstringslikenames.3)UseTEXTforlong-formtextcontent.4)UseBLOBforbinarydatalikeimages.Considerstorageov
MySQL BLOB vs. TEXT: Choosing the Right Data Type for Large ObjectsMay 11, 2025 am 12:13 AMWhen selecting MySQL's BLOB and TEXT data types, BLOB is suitable for storing binary data, and TEXT is suitable for storing text data. 1) BLOB is suitable for binary data such as pictures and audio, 2) TEXT is suitable for text data such as articles and comments. When choosing, data properties and performance optimization must be considered.
MySQL: Should I use root user for my product?May 11, 2025 am 12:11 AMNo,youshouldnotusetherootuserinMySQLforyourproduct.Instead,createspecificuserswithlimitedprivilegestoenhancesecurityandperformance:1)Createanewuserwithastrongpassword,2)Grantonlynecessarypermissionstothisuser,3)Regularlyreviewandupdateuserpermissions
MySQL String Data Types Explained: Choosing the Right Type for Your DataMay 11, 2025 am 12:10 AMMySQLstringdatatypesshouldbechosenbasedondatacharacteristicsandusecases:1)UseCHARforfixed-lengthstringslikecountrycodes.2)UseVARCHARforvariable-lengthstringslikenames.3)UseBINARYorVARBINARYforbinarydatalikecryptographickeys.4)UseBLOBorTEXTforlargeuns
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
SublimeText3 English version
Recommended: Win version, supports code prompts!
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
Dreamweaver Mac version
Visual web development tools
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
