[AccessD] Data interface The best way

Shamil Salakhetdinov shamil at users.mns.ru
Sat Oct 15 02:26:35 CDT 2005


Jim,

Thanks for the link.
I still think the following arguments of this article are getting obsolete:

<<<
- The best possible performance
- Removes the SQL code from the other layers of the application
- Prevents SQL injection attacks
- Prevents casual table browsing and modifications
>>>

Or I'd better say they are getting less important because with Application
Roles and modern technlogies like ADO.NET and N-tier solutions all that
problems above(as well as related) have effective and secure solutions.

Having secret passwords technique is quite different from Application Roles.
Secret passwords have to have superuser(s) defined. Application Roles don't.

I wouldn't want to start a "religious debate" here on "SP vs. Dynamic SQL"
subject.
Here is an interesting link on such debate -
http://www.theserverside.net/news/thread.tss?thread_id=31953 - it's good
enough to close the subject I guess? :)

BTW, here is a good and free CRUD generator -
http://www.microsoft.com/france/msdn/olymars/default.mspx for the developers
who prefer CRUD SP to dynamic SQL or parameterized queries or other dynamic
SQL techniques....

Shamil

----- Original Message ----- 
From: "Jim Lawrence" <accessd at shaw.ca>
To: "'Access Developers discussion and problem solving'"
<accessd at databaseadvisors.com>
Sent: Saturday, October 15, 2005 4:04 AM
Subject: Re: [AccessD] Data interface The best way


> Shamil, the other technique is to have secret passwords embedded in the
> compiled FE (dll/executable) code and in theory that should eliminate
> hostile attacks.
>
> Here is a good article on CRUD:
> http://www.databasejournal.com/features/mssql/article.php/3082201
>
> Jim
>
> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Shamil
> Salakhetdinov
> Sent: Friday, October 14, 2005 2:39 PM
> To: Access Developers discussion and problem solving
> Subject: Re: [AccessD] Data interface The best way
>
> > So what special purpose is then served by the sproc?
> IMO they are now getting obsolete for CRUD operations.
>
> You're right Charlotte, I think - in a modern N-tier architecture if one
> gets Data Layer objects running on a well protected server then there is
no
> need in CRUD stored procedures. MS SQL database tables/views can be still
> well protected and Data Layer objects will use Application Roles to do
> whatever these Applications Roles are allowed to do with the database
using
> dynamic SQL....
>
> And SQL injection attempts can be blocked on Business/Data Layer object
> interfaces level...
>
> Shamil
>
> ----- Original Message ----- 
> From: "Charlotte Foust" <cfoust at infostatsystems.com>
> To: "Access Developers discussion and problem solving"
> <accessd at databaseadvisors.com>
> Sent: Friday, October 14, 2005 11:55 PM
> Subject: Re: [AccessD] Data interface The best way
>
>
> > Swell, define dynamic SQL.  When it is compiled into a dll, is it still
> > dynamic?  When your permissions to the back end are highly restricted
> > and all the SQL is created in the dll, is it still dynamic?  I
> > understand the capabilites of sprocs.  However, in an N-tier
> > architecture, you can build some of that same capability into the middle
> > tier and validate the data before it ever gets passed to the backend for
> > handling.  So what special purpose is then served by the sproc?
> >
> > Charlotte Foust
> >
> >
> <<< tail trimmed >>>
>
> -- 
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
>
> -- 
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com




More information about the AccessD mailing list