[AccessD] Data interface The best way

Jim Lawrence accessd at shaw.ca
Thu Oct 13 15:15:09 CDT 2005 

At a recent MS conference the speaker discussed the whole issues around MS
SQL security. 

It was stated that if a raw sql request can be made from the client end,
regardless of its interface then your whole system is venerable. They then
proceeded to show a number of ways to hack-in to a MS SQL database using
various methods and security holes. 

The lectures were very impressive and alarming.

Jim

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Charlotte Foust
Sent: Thursday, October 13, 2005 12:46 PM
To: Access Developers discussion and problem solving
Subject: Re: [AccessD] Data interface The best way

No, the SQL is stored in the application, not the BE, but yes if we were
going exclusively against SQL Server, the sproc names would work
instead.  Since our application is backend neutral at that level, we
don't do it that way.  I've never heard that business about SQL in the
front end being a security risk before, so I can't comment on that.
These are windows apps, so that might be the difference. Given that our
apps, front and backend, are run on our clients's systems, I don't know
what kind of security risk would be posed by the SQL being in the front
end anyhow.  

Charlotte Foust


-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of David McAfee
Sent: Thursday, October 13, 2005 11:31 AM
To: Access Developers discussion and problem solving
Subject: Re: [AccessD] Data interface The best way


Charlotte, does that mean you are using dynamic SQL in the BE? I tend to
see a lot more of that now that I am starting to use .Net more and more.
Couldn't the xml file hold a list of sproc names and you could just
execute a sproc instead? I was always instructed not to create SQL
Strings in the front end as passing them to the back end was a security
risk. This is of course, unless you are dealing with the possibility of
SQL injection on the back end and not allowing certain characters and/or
reserved words.

Jim, are you asking how to make a connection into the SQL BE via code? I
had a bit of a time understanding how to do this (coming form an Access
background). I created a test page with has a cascading combo box for
automobile makes and models. Here is how I assign the rowsource to the
"Model" combo box after selecting a "Make" (or manufacturer):

    Private Sub cboMake_SelectedIndexChanged(ByVal sender As
System.Object, ByVal e As System.EventArgs) Handles
cboMake.SelectedIndexChanged
        If Me.SqlConnection1.State <> ConnectionState.Open Then
Me.SqlConnection1.Open()
        Dim A As System.Data.SqlClient.SqlDataReader
        Dim B As SqlClient.SqlCommand
        B = New SqlClient.SqlCommand
        B.Connection = Me.SqlConnection1
        B.CommandText = "stpSelectModel " &
Me.cboMake.SelectedItem.Value

        A = B.ExecuteReader()
        Me.cboModel.DataSource = A
        Me.cboModel.DataTextField = "Model"
        Me.cboModel.DataValueField = "ModelID"
        Me.cboModel.DataBind()

        Me.SqlConnection1.Close()
    End Sub

HTH
David

-----Original Message-----
From: Charlotte Foust

We use typed datasets and build a data "entity" in the solution that
inherits that typed dataset and handles validations, update calls,
fills, etc.  We build dataproviders for each typed
dataset/entity/interface and let it handle creating the connections and
command strings, building the data adapter and passing a filled "entity"
back to the calling routine.  We actually store the SQL for these
commands in xml and look up the one we need, passing the parameters in
through the dataprovider.  It works quite well.

<snip>

Charlotte Foust


-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence
Sent: Thursday, October 13, 2005 10:09 AM
To: 'Access Developers discussion and problem solving'
Subject: [AccessD] Data interface The best way


Hi All:

I am current working building a .Net solution for a client. ASP.Net 2,
ADO.Net and MS SQL 200x.

Traditionally, when designing the system I have passed all the Selects,
Inserts, Updates and Deletes requests through to the server via ADO
commands using parameter lists and then to MS SQL side Stored Procedures
to manage any final validation and data work.

I am not sure of the best way to manage the data flow with this new
architecture (i.e. Datasets etc.). Any suggestions and experiences would
be very helpful.

TIA
Jim


-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com
-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

More information about the AccessD mailing list