I am a beginner React Native developer and am wondering how my MongoDB database (or databases in general) is secured from overwrite attacks. The way I understand is that users (clients) cannot see my code directly, but if they do see part of it (e.g. the server address) then they could write scripts and create actions themselves, overwriting my database. How is this prevented in practice? And, is it possible for clients to do see my code? I know there are 'private servers' in some MMORPGs so surely there must be a way to find out about the secret sauce (i.e. the application)?
if they do see part of it (e.g. the server address) then they could write scripts and create actions themselves, overwriting my database.
If you have basic security setup, they cannot write and read any data from your database.
Firstly, you must use authentication and configure permissions for each user. You also can use firewall for connections.
Scenario: servers are in the same data center
If your servers in the same data center, you can connect all servers with an internet protocol. Thus, the hacker/user cannot reach your database from outside since your servers are already communicating between them. (For that situation, you'd connect your database from local ip.)
Scenario: servers are not in the same data center
In this situation, you'd configure your firewall and open only specific ip addresses. If you want to make it harder, you can code RESTapi for your project. Thus, you only need to use special tokens for each request by servers.
Generally, MMORPG games are using separated setups for each continent. They basically use local network for communication but of course ,they are using more complex system compared to what I said.
Related
I want to know how to connect Xamarin.Forms PCL with SQL Server directly. I know accessing the database directly will not be secured. But that's not problem in my situation. I need to access database directly from Xamarin.Forms. I am using Visual Studio 2017. I have developed an app with Xamarin.Forms PCL.
In answer to your question, use Entity Framework Core and a connection string, directly to your database. That will enable you to connect directly to it.
Now, I'm going to spend the rest of this answer, why you shouldn't do this
You are giving a remote, unknown, complete stranger, complete, direct access to your database. Even if it's in a separated network, with completely trusted users, and not on the app store, you are still opening your database up to potential security breaches.
It is likely over an unreliable mobile connection or wifi. It will fail and drop out, a lot.
It will be incredibly slow
If you want to move that SQL server later or update, you will break every single client out there, while you send an update for your app.
You won't be able to easily add any logic, in between, to improve performance, or add business logic as needed.
Database corruption, another important and likely to occur scenario, as mentioned by Brandon above.
What you need to do.
Create a web api. It's easy to setup one with WebAPI with dotnetcore
The API connects to the database, the mobile client connects to the API.
Add authentication to your API.
And I go into some more detail in Connecting to a remote database here.
Can I restrict access to a specific database on my SQL Server 2008 database based on client IP address? If so, how do I do it? There are multiple databases on this server so we can't block access to the SERVER based on the IP, just a specific DATABASE.
You absolutely cannot do this at database granularity. You are talking about detecting things like queries using three part names ([banned_db].[dbo].[table]) and synonyms referencing the protected DB while using an unprotected DB. There just isn't any framework in place to do such. You must rely on access security (GRANT/DENY/REVOKE). At best, do what gbn suggests and separate the protected DB into it's own instance and then use Firewall rules to protect its ports.
Personally, I'd use security to do this. Limit access via permissions not via IP.
If you really do need IP address security (eg for banking Secrecy Jurisdictions like Switzerland or Singapore), then use separate servers
There is currently no way to limit access to a specific database based on the network segment you are coming from. I can see the need for this to limit access to a production DB from a stage server. I guess this is why there is the need to build different SQL servers for each environment.
I believe you can limit SQL access by application http://msdn.microsoft.com/en-us/library/bb669062.aspx
I need some advice regarding which database I should use.
I want to create a web application in Java EE and I need a database for storing some information.
I want to make it available not only from my personal computer. The Java code will be simple exported, but what should I do regarding the database?
Which database should I use in order to make it available to anyone?
Just about any modern, client/server dbms will work. If I were in your shoes, I'd try PostgreSQL first. The online docs have a full chapter on server configuration. Pay particular attention to "Connections and authentication".
Often a remote user will connect to an application (a web page, for example), and that application will connect to the database. Usually the application and the dbms run on different servers, in which case the dbms will accept connections only from localhost (for maintenance), the local area network (for company internal use), and from the application server.
Do some research before you decide to let the dbms accept connections from every IP address on Earth; that's a little risky.
I have been reading that direct access to a SQL Server database over the Internet is insecure, so I am wondering what intermediary I can and should use between the client and the server. What are the best practices in terms of security and performance?
For direct access, you would have to use SSL on your connections, but generally, I wouldn't expose a database server to the internet. I would design my way around it, for example by creating web services in front of the db server.
Use an API - Application Programming Interface . This is a frontend door to the data you wish to expose. This means you will need to define what you expose and how.
For example, Stack Overflow does not allow their database to be accessed via anyone directly. BUT, they have allowed people to access certain parts of their database, via their Stack Apps API. What parts? they have exposed certains parts with their own API -> web url's that spit back data, based upon what you request. The results are in JSON format only (at the time of me posting this answer).
Here is a sample API method that exposes some of their database. (EDIT: hmm, none of the API links work ... the link i was trying to show was ...
http://api.stackoverflow.com/0.8/help/method?method=answers/{id}/
)
Now .. if you don't want to actually think about what data (eg DB tables, if you're using a Relational Database like Microsoft SQL Server or Oracle Sql Server) but want to expose the ENTIRE database .. just via the web ... then maybe you could look at using OData to stick in front of your DB, to expose it?
Another Edit:
I was assuming you ment - allowing the public to access your DB .. not private. Otherwise, this should be on ServerFault.
I'd written this lovely reply pertaining to web access to a SQL server, and then you go and update it stating you have a desktop app in place.
With that, as was said above, the best idea is to not expose a database server to the internet. If you absolutely have to, then there's a few possible solutions.
Implement some sort of VPN connection into the network. I had once instance where we had a large number of sites all connecting to a database server (and company network) via VPN. This kept the database server off of the internet, while still allowing a half decent access time to the information. This was for a retail environment with not a great deal of data throughput
Properly setup your firewalls and permissions on the server. This one should be done anyway. You could put the server behind a firewall, allowing access only on 1433, and only from a specific IP range (which i assume would be possible). This way, you can at least lower the amount of locations a possible attack could come from.
This could all be employed in addition to the APIs and services mentioned above.
You can use with config.php. You must write db name, db user, db password, and host in config.php. Then you can use
[?php require("config.php"); ?]
in you page. Please change [ and ] to { and }.
You could just have a page in your web site's language (e.g. PHP, JSP, ASP, etc...) that queries the DB and returns the data you need in whatever format you need. For example:
If you're using jQuery:
from the client-side:
$.ajax({
url: 'ajax/test.php',
success: function(data) {
$('.result').html(data);
alert('Load was performed.');
}
});
Here, test.php would connect to the DB and query it and the result of test.php would be returned in the 'data' variable.
I have a customer that work with LOGICAISSE, a provider of registry cache that will be connected to MS Access database (yep it's old !)
I need to have access to that database for shopping cart on the web, how to access this kind of database. For now I only have done it with SQL or SQL lite in PHP
Thanks in advance
As you didn't name a specific programming language, here is a tutorial in PHP, for example.
There are also libraries for other languages. Usually you would use ODBC (or a JDBC wrapper) to connect to Access databases.
If using .Net or similar the easy way is to set up an ODBC connection to the access database.
Note that you will need to have read / write access to the share that the access file is located on. Write is required to create the .lck files that access needs to track whether tables are locked etc.
That said I would seriously argue that you need to pull the data from access into a server like SQL server and have your website hit the SQL server. Access is NOT built as a multiuser database and treating it like such will lead to a host of issues especially if the website in question has any level of traffic.