Charlotte Foust
cfoust at infostatsystems.com
Thu Oct 13 14:46:16 CDT 2005
No, the SQL is stored in the application, not the BE, but yes if we were
going exclusively against SQL Server, the sproc names would work
instead. Since our application is backend neutral at that level, we
don't do it that way. I've never heard that business about SQL in the
front end being a security risk before, so I can't comment on that.
These are windows apps, so that might be the difference. Given that our
apps, front and backend, are run on our clients's systems, I don't know
what kind of security risk would be posed by the SQL being in the front
end anyhow.
Charlotte Foust
-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of David McAfee
Sent: Thursday, October 13, 2005 11:31 AM
To: Access Developers discussion and problem solving
Subject: Re: [AccessD] Data interface The best way
Charlotte, does that mean you are using dynamic SQL in the BE? I tend to
see a lot more of that now that I am starting to use .Net more and more.
Couldn't the xml file hold a list of sproc names and you could just
execute a sproc instead? I was always instructed not to create SQL
Strings in the front end as passing them to the back end was a security
risk. This is of course, unless you are dealing with the possibility of
SQL injection on the back end and not allowing certain characters and/or
reserved words.
Jim, are you asking how to make a connection into the SQL BE via code? I
had a bit of a time understanding how to do this (coming form an Access
background). I created a test page with has a cascading combo box for
automobile makes and models. Here is how I assign the rowsource to the
"Model" combo box after selecting a "Make" (or manufacturer):
Private Sub cboMake_SelectedIndexChanged(ByVal sender As
System.Object, ByVal e As System.EventArgs) Handles
cboMake.SelectedIndexChanged
If Me.SqlConnection1.State <> ConnectionState.Open Then
Me.SqlConnection1.Open()
Dim A As System.Data.SqlClient.SqlDataReader
Dim B As SqlClient.SqlCommand
B = New SqlClient.SqlCommand
B.Connection = Me.SqlConnection1
B.CommandText = "stpSelectModel " &
Me.cboMake.SelectedItem.Value
A = B.ExecuteReader()
Me.cboModel.DataSource = A
Me.cboModel.DataTextField = "Model"
Me.cboModel.DataValueField = "ModelID"
Me.cboModel.DataBind()
Me.SqlConnection1.Close()
End Sub
HTH
David
-----Original Message-----
From: Charlotte Foust
We use typed datasets and build a data "entity" in the solution that
inherits that typed dataset and handles validations, update calls,
fills, etc. We build dataproviders for each typed
dataset/entity/interface and let it handle creating the connections and
command strings, building the data adapter and passing a filled "entity"
back to the calling routine. We actually store the SQL for these
commands in xml and look up the one we need, passing the parameters in
through the dataprovider. It works quite well.
<snip>
Charlotte Foust
-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence
Sent: Thursday, October 13, 2005 10:09 AM
To: 'Access Developers discussion and problem solving'
Subject: [AccessD] Data interface The best way
Hi All:
I am current working building a .Net solution for a client. ASP.Net 2,
ADO.Net and MS SQL 200x.
Traditionally, when designing the system I have passed all the Selects,
Inserts, Updates and Deletes requests through to the server via ADO
commands using parameter lists and then to MS SQL side Stored Procedures
to manage any final validation and data work.
I am not sure of the best way to manage the data flow with this new
architecture (i.e. Datasets etc.). Any suggestions and experiences would
be very helpful.
TIA
Jim
--
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com