I have been reading that direct access to a SQL Server database over the Internet is insecure, so I am wondering what intermediary I can and should use between the client and the server. What are the best practices in terms of security and performance?
For direct access, you would have to use SSL on your connections, but generally, I wouldn't expose a database server to the internet. I would design my way around it, for example by creating web services in front of the db server.
Use an API - Application Programming Interface . This is a frontend door to the data you wish to expose. This means you will need to define what you expose and how.
For example, Stack Overflow does not allow their database to be accessed via anyone directly. BUT, they have allowed people to access certain parts of their database, via their Stack Apps API. What parts? they have exposed certains parts with their own API -> web url's that spit back data, based upon what you request. The results are in JSON format only (at the time of me posting this answer).
Here is a sample API method that exposes some of their database. (EDIT: hmm, none of the API links work ... the link i was trying to show was ...
http://api.stackoverflow.com/0.8/help/method?method=answers/{id}/
)
Now .. if you don't want to actually think about what data (eg DB tables, if you're using a Relational Database like Microsoft SQL Server or Oracle Sql Server) but want to expose the ENTIRE database .. just via the web ... then maybe you could look at using OData to stick in front of your DB, to expose it?
Another Edit:
I was assuming you ment - allowing the public to access your DB .. not private. Otherwise, this should be on ServerFault.
I'd written this lovely reply pertaining to web access to a SQL server, and then you go and update it stating you have a desktop app in place.
With that, as was said above, the best idea is to not expose a database server to the internet. If you absolutely have to, then there's a few possible solutions.
Implement some sort of VPN connection into the network. I had once instance where we had a large number of sites all connecting to a database server (and company network) via VPN. This kept the database server off of the internet, while still allowing a half decent access time to the information. This was for a retail environment with not a great deal of data throughput
Properly setup your firewalls and permissions on the server. This one should be done anyway. You could put the server behind a firewall, allowing access only on 1433, and only from a specific IP range (which i assume would be possible). This way, you can at least lower the amount of locations a possible attack could come from.
This could all be employed in addition to the APIs and services mentioned above.
You can use with config.php. You must write db name, db user, db password, and host in config.php. Then you can use
[?php require("config.php"); ?]
in you page. Please change [ and ] to { and }.
You could just have a page in your web site's language (e.g. PHP, JSP, ASP, etc...) that queries the DB and returns the data you need in whatever format you need. For example:
If you're using jQuery:
from the client-side:
$.ajax({
url: 'ajax/test.php',
success: function(data) {
$('.result').html(data);
alert('Load was performed.');
}
});
Here, test.php would connect to the DB and query it and the result of test.php would be returned in the 'data' variable.
Related
I am a beginner React Native developer and am wondering how my MongoDB database (or databases in general) is secured from overwrite attacks. The way I understand is that users (clients) cannot see my code directly, but if they do see part of it (e.g. the server address) then they could write scripts and create actions themselves, overwriting my database. How is this prevented in practice? And, is it possible for clients to do see my code? I know there are 'private servers' in some MMORPGs so surely there must be a way to find out about the secret sauce (i.e. the application)?
if they do see part of it (e.g. the server address) then they could write scripts and create actions themselves, overwriting my database.
If you have basic security setup, they cannot write and read any data from your database.
Firstly, you must use authentication and configure permissions for each user. You also can use firewall for connections.
Scenario: servers are in the same data center
If your servers in the same data center, you can connect all servers with an internet protocol. Thus, the hacker/user cannot reach your database from outside since your servers are already communicating between them. (For that situation, you'd connect your database from local ip.)
Scenario: servers are not in the same data center
In this situation, you'd configure your firewall and open only specific ip addresses. If you want to make it harder, you can code RESTapi for your project. Thus, you only need to use special tokens for each request by servers.
Generally, MMORPG games are using separated setups for each continent. They basically use local network for communication but of course ,they are using more complex system compared to what I said.
I want to know how to connect Xamarin.Forms PCL with SQL Server directly. I know accessing the database directly will not be secured. But that's not problem in my situation. I need to access database directly from Xamarin.Forms. I am using Visual Studio 2017. I have developed an app with Xamarin.Forms PCL.
In answer to your question, use Entity Framework Core and a connection string, directly to your database. That will enable you to connect directly to it.
Now, I'm going to spend the rest of this answer, why you shouldn't do this
You are giving a remote, unknown, complete stranger, complete, direct access to your database. Even if it's in a separated network, with completely trusted users, and not on the app store, you are still opening your database up to potential security breaches.
It is likely over an unreliable mobile connection or wifi. It will fail and drop out, a lot.
It will be incredibly slow
If you want to move that SQL server later or update, you will break every single client out there, while you send an update for your app.
You won't be able to easily add any logic, in between, to improve performance, or add business logic as needed.
Database corruption, another important and likely to occur scenario, as mentioned by Brandon above.
What you need to do.
Create a web api. It's easy to setup one with WebAPI with dotnetcore
The API connects to the database, the mobile client connects to the API.
Add authentication to your API.
And I go into some more detail in Connecting to a remote database here.
This question is an updated version of a previous question I have asked on here.
I am new to client-server model with SQL Server as the relational database. I have read that public access to SQL Server is not secure. If direct access to the database is not a good practice, then what kind of layer should be placed between the server and the client? Note that I have a desktop application that will serve as the client and a remote SQL Server database that will provide data to the client. The client will input their username and password in order to see their data. I have heard of terms like VPN, ISA, TMG, Terminal Services, proxy server, and so on. I need a fast and secure n-tier architecture.
P.S. I have heard of web services in front of the database. Can I use WCF to retrieve, update, insert data? Would it be a good approach in terms of security and performance?
A web-service tier is pretty common for smart-clients as a layer between the user-client and the server. This allows:
simple networking (http only)
you have an app-layer in which to put validation etc without upsetting the db
you can have security that isn't tied to the db
the db can run as fewer accounts (app accounts), allowing greater connection pooling
you can "scale out" the app layer
you can cache etc above the db
you can have a richer app layer, with more services than sql server provides
the client has a known API, and never knows about the db (which is an implementation detail)
You can use WCF to talk to the app layer, but you shouldn't think in terms of "INSERT", "UPDATE" etc - you should think in terms of operations that make sense to your domain model - the "CreateOrder" operation, etc. ADO.NET Data Services allows an API more similar to your "INSERT" etc, but it isn't necessarily as controlled as you might like for a secure service.
Performance is really a factor of "what queries am I running?" and "how much data am I transferring?". As long as you keep the operations sane (i.e. don't fetch the entire "Orders" data over the wire just to find the most recent order-date), then you should be OK.
So I'm inexperienced in hosting DB's and I've always had the luxury of someone else getting the db setup.
I was going to help a friend out with getting a webpage setup, I've got experience in Asp.Net MVC so I'm going with that. They want to setup a search page to query a db and display the results. My question I have is in getting the DB setup and hosted. They currently just have the Access DB on a local computer. There is basically only one table that would need to be queried for the search.
What is the best approach to getting this table/db accessible? They would like to keep the main copy of the db on the local machine, so copying the entire db over to the hosted site would be time consuming, could the lone table needed be solely copied to the host? Should I try to convince them to make changes on the hosted db and just make copies of that for their local machines? Any suggestions are welcome, Again I'm a total noob when it comes to hosting databases.
Thanks
Added: They are using a MS Access 2000, and the page will have access restrictions. Thanks for the responses.
How about SQL Server Express? I think you can do a remote connect from Access and just push the data over from Access.
I wouldn't use Access on a web server in any case.
I would strongly recommend against access from web work, its just not designed for it and given that SQL server express is free there is no reason not to give it a go.
You can migrate the data over by using the SQL server upsizing wizard, here is a link for help on using that feature
http://support.microsoft.com/kb/237980
It depends on what you mean by web work? Access 2010 can build scalable browser neutral web applications. They can scale to 1000's to users. In fact, you can even park the web sites on Microsoft's new cloud hosting options, and scale out to as many users as you need.
Here is a video of an application I wrote in access 2010. Note how at the half way I run the same application including the Access forms in a standard web browser. This application was built 100% inside of the Access client. The end result needs no ActiveX or Silverlight to run.
http://www.youtube.com/watch?v=AU4mH0jPntI
So, the above shows that access can now be used to build scale web sites (you can ignore the confusing answers by the other two posters here they are not quite up to speed on how access works or functions).
However, for your case, I would continue to have the access database on the desktop. You can simply link to tables that are hosted on the web server. Those tables can exist in MySql, or sql server. As long as the web site supports external ODBC connections (many do), then you can thus have the desktop application use the live data from the web server. If connections to the live data at all times is a issue, then you could certainly setup something to send up new records (or the whole table) on some kind of interval or perhaps the reverse, and pull down new records on a interval from the web site (depends which way you need to go). So, connecting to MySql or sql server is quite easy as long as the web hosting and site permits external ODBC connections. I do this all the time, and it works quite well.
As mentioned, new for access 2010 is web site building ability but that does requite Access Web services running on SharePoint.
You don't need to upgrade to Access 2010. One option is to use the EQL Data plugin to sync the database up to the server. Then you can write an asp.net, php, or whatever application that queries the table using the EQL API and prints the results however you want. This kb article describes how to use the EQL API from a web app.
The nice thing is that the database is still totally usable (and at full speed) even when you're not online, and then you can sync the new data up to the web occasionally. It only uploads the changes, not the entire database every time, so it's fast.
Disclaimer: I work at EQL Data so I'm a bit biased. But this kind of use case is the whole reason the company exists.
I have a customer that work with LOGICAISSE, a provider of registry cache that will be connected to MS Access database (yep it's old !)
I need to have access to that database for shopping cart on the web, how to access this kind of database. For now I only have done it with SQL or SQL lite in PHP
Thanks in advance
As you didn't name a specific programming language, here is a tutorial in PHP, for example.
There are also libraries for other languages. Usually you would use ODBC (or a JDBC wrapper) to connect to Access databases.
If using .Net or similar the easy way is to set up an ODBC connection to the access database.
Note that you will need to have read / write access to the share that the access file is located on. Write is required to create the .lck files that access needs to track whether tables are locked etc.
That said I would seriously argue that you need to pull the data from access into a server like SQL server and have your website hit the SQL server. Access is NOT built as a multiuser database and treating it like such will lead to a host of issues especially if the website in question has any level of traffic.