| Author |
 Topic  |
|
|
MacGyver
Starting Member
3 Posts |
 Posted - 29 December 2004 : 19:40:25
|
db: SQL Server 2000
OS: Win2K
Install: Intranet
So, I followed the instructions to the best of my abilities (stop laughing), and I was able to get the database set up in SQL Server 2000 and let the setup.asp script populate the database with tables and so forth.
As soon as I get past the initial setup screen, I am prompted to check the database, do that, and then it tells me that the database needs to get upgraded. I enter the db admin credentials and set up the forum admin's user name and password, too, click the link...and get the SQL SERVER PERMISSION DENIED error on the setup_login.asp page.
Checking the code, it's right around line 78, where it checks the user name and password for the forum admin.
I bypassed that piece of code and got as far as default.asp, but the same type of PERMISSION DENIED error comes up.
Any ideas what I might be doing wrong? Is there anything else I can check in SQL Server? The SQL Server admin credentials I'm typing in when prompted are for "sa" -- different from the user specified in the connection string.
Any help would be greatly appreciated.
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 29 December 2004 : 21:40:13
|
| is it possible that the user specified in the connection string doesn't have the correct permissions? |
 |
|
|
MacGyver
Starting Member
3 Posts |
Posted - 29 December 2004 : 22:55:26
|
Yes, that's quite possible.
The again, the prompt on the setup page states to enter the SQL Server admin's credentials to update the database -- even if that SQL Server admin is not the same user that's listed in the connection string.
However, I did give my snitz forum user in the connection string all the available privileges. Is there a quick way to check and compare whether there might be something wrong with my user?
Thank you. |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 29 December 2004 : 23:14:05
|
| does substituting the sa user in the connection string make the error go away? |
|
|
|
MacGyver
Starting Member
3 Posts |
Posted - 30 December 2004 : 09:35:32
|
WOW!
Why didn't I think of that? Thank you. Thank you. Thank you.
Did I mention, THANK YOU!
That did the trick. Now I'm just curious: Am I in any way running a security risk by leaving the BIG KAHUNA (sa) in the connection string?
In my other web applications, I typically have a default database user with limited privileges, so that -- in case they could figure out some SQL Injection -- they couldn't do too much damage. Such as dropping the database.
Is the Snitz Forum "secure" in that regard? And is it all right to leave the connection string as is (with sa and all)?
Oh, and before I forget: THANK YOU FOR ALL YOUR HELP! You rock!
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 30 December 2004 : 22:03:55
|
After table creation is done, all you need to access the database is a user with db_datawriter database role. You probably should create one and use it in your connection string.
Snitz has been protected against SQL injection attacks, but no one can assure you that all possible ways of using SQL injection has been covered. As far as we know, Snitz is protected and considerable effort has been put into that protection. There are no known security issues with our latest version and that's the best that we (or anyone else) can assure. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
| |
Topic |
|
Topic Locked
