I am using Microsoft SQL Server (2008-2012)
I would like to avoid directly querying the database, and instead, use some kind of a proxy (ODBC-Like) which I will query via my application, and it will query the actual database, and return me the results.
The idea is to manually encrypt some columns and have a barrier which will make encryption / decryption transparent to the application connecting the database.
Is there an off the shelf solution for this? Or do I actually need to write my own custom odbc driver?
Related
I've Implemented Always Encryption method in my Project, after knowing that it encrypts's the data in Client Side Code and Never reveals the Data to DataBase Engine.
I've gone through here and here and got a Clear Idea that Encryption/Decryption is done in Client Level(Driver).
Also, I've already posted a Question on this site too and got the Same Answers.
Although, I've needed to prove it to my Officials that between the Database Call and Client Code the data's will be encrypted.They simply ignore the Documentation.
How should I've able to prove them that during the network between the client and SQL server the Data in Encrypted and not Decrypted?
I tried with Process monitor. But it does not seem to work, it listing all the process behind the Visual Studio Execution(mostly DLL Calls)
Can i use Fiddler to Monitor ?
You can use SQL profiler that can be accessed through SSMS.
You can find it in SSMS menu as Tools -> Sql Server Profiler.
With some google search, you can find resources on how to use it.
I would create two tables having the same schema. Encrypt a couple of columns of one of the tables using Always Encrypted.
Run select, insert and point lookup queries for each table. You will see that for table with Always Encrypted columns, you will see encrypted values being sent to SQL Server for the encrypted columns whereas for plaintext table all the values sent to the server will be in plain text.
SQL-Profiler is a good way to Prove the Data is Encrypted through-out the Network.I've tried with Fiddler as well as SQL Profile. Both Proved my data were encrypted through out the Channel between Client and SQL Server. I would like to Show Images on this. (May be helpful for others)
Fiddler (Client Network Traffic)
SQL-Profiler (Data's from Client to SQL Server as Encrypted)
What is the best way to encrypt a SQL 2005 database?
I have found things about the with SQL 2008, and I've seen how to do column encryption in SQL 2005 - but it seems more difficult to access the table values then because you need to create a function or a view/stored procedure.
I also tried doing the file level security by using windows encryption (via a certificate) to encrypt the folder which held the database files, but then SQL Server Management Studio gave me errors on permissions (even after I gave it permissions).
I need to secure client data on our servers and I need to do it in a way that will not slow down our server too much, though I know it's inevitable due to the extra layer that encryption poses.
Am I missing something, or am I wrong? Please advise.
Upgrade to SQL Server 2008 and use Transparent Database Encryption. Unlike column level encryption of SQL Server 2005, the 2008 TDE is, as the name implies, transparent. Requires no application changes. Also, the data is searchable, something which is always desirable but very difficult to achieve with column encryption or with client side encryption.
File level encryption does not really work with SQL Server. However, BitLocker does work with SQL Server so encrypting the entire volume with BitLocker is another viable alternative.
If you don't want to slow down the server, you could encrypt and decrypt data on the fly using the client side to process it. Store data in the database in a serialized and/or encrypted fashion. There are many examples of this kind of thing on the net.
Create a wrapper for your data , like so :
Wrap(
Zip (
Base64 Encode (
Encrypt (
Serialize(
DATA
)
)
)
)
)
Then,
StoreInDB(
WrappedData
)
I have a project that will be using Access 2003 as the front-end and the data will be stored in SQL Server. Access will connect to SQL Server via linked tables with all the database logic (stored procedures, views) within SQL Server.
Given this setup, would it be better to use ADO or DAO within Access? Is it just a matter of preference or is one more suited to Access as a front-end and SQL Server as the data store? Especially when using linked tables. Thanks.
Write pass-thru queries as opposed to the linked table approach. Performance will be greatly improved. Writing an Access app?
Create some local tables to store some query results. You can dynamically change the pass-thru queries as needed as well as connection info for connecting to multiple databases.
Edit: General consensus is ADO for connecting to sql server/other sources and DAO for mdb only sources.
Use an MDB with ODBC linked tables. Because you are using ODBC, you are connecting via Jet, so it's obvious that DAO is the default choice for data access.
ADO should be used only for those things that can't be done otherwise, or that are performing poorly.
In short, you build your SQL Server app just like you would a pure-Access app (assuming you build an app with a Jet/ACE back end to retrieve data efficiently, which should be a no-brainer), and only resort to server-side functionality or ADO when the default Access approach is inefficient or doesn't get the result you need (e.g., an editable recordset in the case of recordset-returning sprocs).
DAO was used to access MDB databases from any COM application. I don't believe it can even connect to SQL Server.
ADO is a successor of DAO. ADO can connect to many databases, but interacts especially well with SQL Server. So in your situation, using ADO seems like a no brainer.
Microsoft Access is a slick way to access data in a MS SQL Server backend database, but I've always had problems accessing (so to speak) large tables of data, especially when trying to toggle between results and design mode in Access.
Access gives me a number of nifty things, not the least of which is Crosstabs, but this hung connection to the server drives me a little crazy!
Does any MS Access gurus know how to optimize the ODBC connection so it isn't doing what appears to be full table scans when I just want to tweak and build my queries?
The ODBC driver will pass as much work as possible to SQL Server but as soon as you use a vba function like Nz or non-SQL Server syntax like PIVOT then the ODBC driver must pull back more data and indexes to get the work done on the client side.
As per other answer either build your views in SQL Server and link to the views or else use an Access Data Project.
NB: PIVOT queries with unknown number of columns cannot be handled in SQL Server in the same way that Access will do this natively - so if you run a pivot in Access against SQL Server data you will likely pull the whole table back. Pivot queries must be built in SQL Server using dynamic SQL techniques or else pre-saved views that have all the columns hard coded. Check out this link for one way to do this:
http://www.sqlservercentral.com/articles/Advanced+Querying/pivottableformicrosoftsqlserver/2434/
As others have said, the only way to improve performance on large tables is to have the SQL Server database engine do the work for you. A method of doing this which hasn't been mentioned is to use a pass-through query, which will enable you to keep all your code in MS Access, without having to create objects on the SQL Server:
http://support.microsoft.com/kb/303968
You will have to write SQL Server T-SQL rather than the Access dialect; however, SQL 2005 (when running in compatibility mode 90) does support a PIVOT command.
My similar problem was that the ORACLE ODBC connection hung after selecting the Link table/ODBC connection. Task manager said not responding after 10's of minutes. The connection then pings ORACLE for all available tables. I had turned on logging on the ORACLE ODBC Administrator, so it had to write all these things to the log, slowing any results by perhaps hours. The log was 60 MB one hour later, when I turned it off, then everything was fine!
To turn it off go to the Oracle installation/Network Administration/MS ODBC Adminstrator/Tracing tab and turn it OFF!
A good resource on ODBC is here: http://eis.bris.ac.uk/~ccmjs/odbc_section.html
Unfortunately Access is not able to push a lot of that work to the server, and yes, it will do huge table scans when designing queries against multiple tables or views in SQL Server.
You can build and tweak queries (views) in SQL Server using SSMS and store the views in SQL Server for a massive performance boost and still use Access for your front end.
This should be simple. I'm trying to import data from Access into SQL Server. I don't have direct access to the SQL Server database - it's on GoDaddy and they only allow web access. So I can't use the Management Studio tools, or other third-party Access upsizing programs that require remote access to the database.
I wrote a query on the Access database and I'm trying to loop through and insert each record into the corresponding SQL Server table. But it keeps erroring out. I'm fairly certain it's because of the HTML and God knows what other weird characters are in one of the Access text fields. I tried using CFQUERYPARAM but that doesn't seem to help either.
Any ideas would be helpful. Thanks.
Try using the GoDaddy SQL backup/restore tool to get a local copy of the database. At that point, use the SQL Server DTS tool to import the data. It's an easy to use, drag-and-drop graphical interface.
What error(s) get(s) thrown? What odd characters are you using? Are you referring to HTML markup, or extended (eg UTF-8) characters?
If possible, turn on Robust Error Reporting.
If the problem is the page timing out, you can either increase the timeout using the Admin, using the cfsetting tag, or rewrite your script to run a certain number of lines, and then forward to itself at the next start point.
You should be able to execute saved DTS packages in MS SQL Server from the application server's command line. Since this is the case, you can use <cfexecute> to issue a request to DTSRUNNUI.EXE. (See example) This is of course assuming you are on a server where the command is available.
It's never advisable to loop through records when a SQL Update can be used.
It's not clear from your question what database interface layer you are using, but it is possible with the right interfaces to insert data from a source outside a database if the interface being used supports both types of databases. This can be done in the FROM clause of your SQL statement by specifying not just the table name, but the connect string for the database. Assuming that your web host has ODBC drivers for Jet data (you're not actually using Access, which is the app development part -- you're only using the Jet database engine), the connect string should be sufficient.
EDIT: If you use the Jet database engine to do this, you should be able to specify the source table something like this (where tblSQLServer is a table in your Jet MDB that is linked via ODBC to your SQL Server):
INSERT INTO tblSQLServer (ID, OtherField )
SELECT ID, OtherField
FROM [c:\MyDBs\Access.mdb].tblSQLServer
The key point is that you are leveraging the Jet db engine here to do all the heavy lifting for you.