|
Home > Archive > microsoft.public.sqlserver.server > November 2002 > Database on the Net...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Database on the Net...
|
|
|
| Happy Thanks Giving:
I do have a planning question. I'm sure most
of you have done this so many times. I'm hoping I would
get some idea and feedback from here.
I have a SQL 2000 Database on Windows 2000 server that
would be used for web-based application. I am working on
how this data be placed in local LAN and how best it
could be protected.
So my plan is ...
1) By no means the web-based application will talk to the
original DB directedly and I think I need to use VIEW for
this purpose. Then at the end of the day View would feed
the data to the ORIGINAL Table or Database. BUT I'm not
sure this is the solution I need to implement or something
else you recommend.
2) The Database server would be placed in a DMZ for
security.
3) I want anyone from internet can use this Web-based
Application, so what Account I should use for SQL and
Windows 2000 server and what kinda permission it should be
given.
4) Is there anything else I need to consider?/
Any knda feedback is appreciated..
Cheers...
Jaxy..........
| |
| Tibor Karaszi 2002-11-29, 2:23 am |
| Here's what I would do:
Create stored procedures for the database access instead of views. IMO a better option. Will
also reduce risk for "injection". Use views when you need "dynamic query creation", like
end-users working with report generators.
Put the SQL Server inside the firewalls, not in the DMZ. The IIS server goes in the DMZ.
As for the account used by IIS to connect to SQL server, I don't know as I'm not an IIS person.
--
Tibor Karaszi, SQL Server MVP
Archive at: http://groups.google.com/groups?oi=...ublic.sqlserver
"Jaxy" <Jaxy555@Yahoo.com> wrote in message
news:1ce0901c296f2$04f0fef0$8a
f82ecf@TK2MSFTNGXA03...
> Happy Thanks Giving:
>
>
> I do have a planning question. I'm sure most
> of you have done this so many times. I'm hoping I would
> get some idea and feedback from here.
>
> I have a SQL 2000 Database on Windows 2000 server that
> would be used for web-based application. I am working on
> how this data be placed in local LAN and how best it
> could be protected.
>
> So my plan is ...
>
> 1) By no means the web-based application will talk to the
> original DB directedly and I think I need to use VIEW for
> this purpose. Then at the end of the day View would feed
> the data to the ORIGINAL Table or Database. BUT I'm not
> sure this is the solution I need to implement or something
> else you recommend.
>
> 2) The Database server would be placed in a DMZ for
> security.
>
> 3) I want anyone from internet can use this Web-based
> Application, so what Account I should use for SQL and
> Windows 2000 server and what kinda permission it should be
> given.
>
> 4) Is there anything else I need to consider?/
>
>
> Any knda feedback is appreciated..
>
> Cheers...
>
> Jaxy..........
| |
|
| Hi Tibor,
Thanks for the tips. Just have few
questions, hope you don't mind to answer.
1) Why would you use Stored Procedure for DB access and
not Views? And what actually do you mean by 'Injection'
here?
2) Can't I just place the whole DMZ behind the firewall
then open the necessary ports on the Firewall.
Thanks again for your Tips...
Cheers...
Jaxy......
>-----Original Message-----
>Here's what I would do:
>
>Create stored procedures for the database access instead
of views. IMO a better option. Will
>also reduce risk for "injection". Use views when you
need "dynamic query creation", like
>end-users working with report generators.
>
>Put the SQL Server inside the firewalls, not in the DMZ.
The IIS server goes in the DMZ.
>
>As for the account used by IIS to connect to SQL server,
I don't know as I'm not an IIS person.
>
>--
>Tibor Karaszi, SQL Server MVP
>Archive at: http://groups.google.com/groups?
oi=djq&as_ugroup=microsoft.public.sqlserver
>
>
>"Jaxy" <Jaxy555@Yahoo.com> wrote in message
> news:1ce0901c296f2$04f0fef0$8a
f82ecf@TK2MSFTNGXA03...
>> Happy Thanks Giving:
>>
>>
>> I do have a planning question. I'm sure most
>> of you have done this so many times. I'm hoping I would
>> get some idea and feedback from here.
>>
>> I have a SQL 2000 Database on Windows 2000 server that
>> would be used for web-based application. I am working on
>> how this data be placed in local LAN and how best it
>> could be protected.
>>
>> So my plan is ...
>>
>> 1) By no means the web-based application will talk to
the
>> original DB directedly and I think I need to use VIEW
for
>> this purpose. Then at the end of the day View would feed
>> the data to the ORIGINAL Table or Database. BUT I'm not
>> sure this is the solution I need to implement or
something
>> else you recommend.
>>
>> 2) The Database server would be placed in a DMZ for
>> security.
>>
>> 3) I want anyone from internet can use this Web-based
>> Application, so what Account I should use for SQL and
>> Windows 2000 server and what kinda permission it should
be
>> given.
>>
>> 4) Is there anything else I need to consider?/
>>
>>
>> Any knda feedback is appreciated..
>>
>> Cheers...
>>
>> Jaxy..........
>
>
>.
>
| |
| Tibor Karaszi 2002-11-29, 3:33 pm |
| > 1) Why would you use Stored Procedure for DB access and
> not Views?
Better performance, reuse of code, keep all SQL code in one place instead of scattered around
client programs etc. Lots of reasons.
>And what actually do you mean by 'Injection'
> here?
Say you have a text box with a parameter where the user is supposed to enter a numeric values
that you will use in a WHERE clause. The query look like this:
SELECT * FROM tbl
WHERE colname = <numvalue>
Say now that the user enters below value:
23 DROP TABLE invoices
The query (queries) now is (line break added for clarity):
SELECT * FROM tbl
WHERE colname = 23
DROP TABLE invoices
Ouch!
> 2) Can't I just place the whole DMZ behind the firewall
> then open the necessary ports on the Firewall.
I'm no network expert, so all are free to correct or add to below:
The idea of a DMX is that you have two firewalls, one to the outside world and one to the inside
world. The DMZ is in between. This is where you pot the web server and only open port 80 on the
outer firewall. Then on the inner firewall, you open the port necessary for the web server to
talk to SQL server. All in the name of security.
--
Tibor Karaszi, SQL Server MVP
Archive at: http://groups.google.com/groups?oi=...ublic.sqlserver
"Jaxy" <Jaxy555@Yahoo.com> wrote in message
news:1ed9301c297b0$9ecfec20$8d
f82ecf@TK2MSFTNGXA02...
> Hi Tibor,
>
>
> Thanks for the tips. Just have few
> questions, hope you don't mind to answer.
>
> 1) Why would you use Stored Procedure for DB access and
> not Views? And what actually do you mean by 'Injection'
> here?
>
> 2) Can't I just place the whole DMZ behind the firewall
> then open the necessary ports on the Firewall.
>
>
> Thanks again for your Tips...
>
> Cheers...
>
> Jaxy......
>
>
>
>
>
> >-----Original Message-----
> >Here's what I would do:
> >
> >Create stored procedures for the database access instead
> of views. IMO a better option. Will
> >also reduce risk for "injection". Use views when you
> need "dynamic query creation", like
> >end-users working with report generators.
> >
> >Put the SQL Server inside the firewalls, not in the DMZ.
> The IIS server goes in the DMZ.
> >
> >As for the account used by IIS to connect to SQL server,
> I don't know as I'm not an IIS person.
> >
> >--
> >Tibor Karaszi, SQL Server MVP
> >Archive at: http://groups.google.com/groups?
> oi=djq&as_ugroup=microsoft.public.sqlserver
> >
> >
> >"Jaxy" <Jaxy555@Yahoo.com> wrote in message
> > news:1ce0901c296f2$04f0fef0$8a
f82ecf@TK2MSFTNGXA03...
> >> Happy Thanks Giving:
> >>
> >>
> >> I do have a planning question. I'm sure most
> >> of you have done this so many times. I'm hoping I would
> >> get some idea and feedback from here.
> >>
> >> I have a SQL 2000 Database on Windows 2000 server that
> >> would be used for web-based application. I am working on
> >> how this data be placed in local LAN and how best it
> >> could be protected.
> >>
> >> So my plan is ...
> >>
> >> 1) By no means the web-based application will talk to
> the
> >> original DB directedly and I think I need to use VIEW
> for
> >> this purpose. Then at the end of the day View would feed
> >> the data to the ORIGINAL Table or Database. BUT I'm not
> >> sure this is the solution I need to implement or
> something
> >> else you recommend.
> >>
> >> 2) The Database server would be placed in a DMZ for
> >> security.
> >>
> >> 3) I want anyone from internet can use this Web-based
> >> Application, so what Account I should use for SQL and
> >> Windows 2000 server and what kinda permission it should
> be
> >> given.
> >>
> >> 4) Is there anything else I need to consider?/
> >>
> >>
> >> Any knda feedback is appreciated..
> >>
> >> Cheers...
> >>
> >> Jaxy..........
> >
> >
> >.
> >
| |
|
| Thanks Tibor,
And oops , don't want injection. I'm still
planning. Your tips would be very helpful..
Thanks...
Jaxy....
>-----Original Message-----
>> 1) Why would you use Stored Procedure for DB access and
>> not Views?
>
>Better performance, reuse of code, keep all SQL code in
one place instead of scattered around
>client programs etc. Lots of reasons.
>
>
>>And what actually do you mean by 'Injection'
>> here?
>
>Say you have a text box with a parameter where the user
is supposed to enter a numeric values
>that you will use in a WHERE clause. The query look like
this:
>
>SELECT * FROM tbl
>WHERE colname = <numvalue>
>
>Say now that the user enters below value:
>
>23 DROP TABLE invoices
>
>The query (queries) now is (line break added for clarity):
>
>SELECT * FROM tbl
>WHERE colname = 23
>DROP TABLE invoices
>
>Ouch!
>
>
>> 2) Can't I just place the whole DMZ behind the firewall
>> then open the necessary ports on the Firewall.
>
>I'm no network expert, so all are free to correct or add
to below:
>The idea of a DMX is that you have two firewalls, one to
the outside world and one to the inside
>world. The DMZ is in between. This is where you pot the
web server and only open port 80 on the
>outer firewall. Then on the inner firewall, you open the
port necessary for the web server to
>talk to SQL server. All in the name of security.
>--
>Tibor Karaszi, SQL Server MVP
>Archive at: http://groups.google.com/groups?
oi=djq&as_ugroup=microsoft.public.sqlserver
>
>
>"Jaxy" <Jaxy555@Yahoo.com> wrote in message
> news:1ed9301c297b0$9ecfec20$8d
f82ecf@TK2MSFTNGXA02...
>> Hi Tibor,
>>
>>
>> Thanks for the tips. Just have few
>> questions, hope you don't mind to answer.
>>
>> 1) Why would you use Stored Procedure for DB access and
>> not Views? And what actually do you mean by 'Injection'
>> here?
>>
>> 2) Can't I just place the whole DMZ behind the firewall
>> then open the necessary ports on the Firewall.
>>
>>
>> Thanks again for your Tips...
>>
>> Cheers...
>>
>> Jaxy......
>>
>>
>>
>>
>>
>> >-----Original Message-----
>> >Here's what I would do:
>> >
>> >Create stored procedures for the database access
instead
>> of views. IMO a better option. Will
>> >also reduce risk for "injection". Use views when you
>> need "dynamic query creation", like
>> >end-users working with report generators.
>> >
>> >Put the SQL Server inside the firewalls, not in the
DMZ.
>> The IIS server goes in the DMZ.
>> >
>> >As for the account used by IIS to connect to SQL
server,
>> I don't know as I'm not an IIS person.
>> >
>> >--
>> >Tibor Karaszi, SQL Server MVP
>> >Archive at: http://groups.google.com/groups?
>> oi=djq&as_ugroup=microsoft.public.sqlserver
>> >
>> >
>> >"Jaxy" <Jaxy555@Yahoo.com> wrote in message
>> > news:1ce0901c296f2$04f0fef0$8a
f82ecf@TK2MSFTNGXA03...
>> >> Happy Thanks Giving:
>> >>
>> >>
>> >> I do have a planning question. I'm sure
most[
color=darkred]
>> >> of you have done this so many times. I'm hoping I[/color]
would
>> >> get some idea and feedback from here.
>> >>
>> >> I have a SQL 2000 Database on Windows 2000 server
that[
color=darkred]
>> >> would be used for web-based application. I am[/color]
working on[co
lor=darkred]
>> >> how this data be placed in local LAN and how best it
>> >> could be protected.
>> >>
>> >> So my plan is ...
>> >>
>> >> 1) By no means the web-based application will talk[/color]
to
>> the
>> >> original DB directedly and I think I need to use VIEW
>> for
>> >> this purpose. Then at the end of the day View would
feed[
color=darkred]
>> >> the data to the ORIGINAL Table or Database. BUT I'm[/color]
not[c
olor=darkred]
>> >> sure this is the solution I need to implement or
>> something
>> >> else you recommend.
>> >>
>> >> 2) The Database server would be placed in a DMZ for
>> >> security.
>> >>
>> >> 3) I want anyone from internet can use this Web-based
>> >> Application, so what Account I should use for SQL and
>> >> Windows 2000 server and what kinda permission it[/color]
should
>> be
>> >> given.
>> >>
>> >> 4) Is there anything else I need to consider?/
>> >>
>> >>
>> >> Any knda feedback is appreciated..
>> >>
>> >> Cheers...
>> >>
>> >> Jaxy..........
>> >
>> >
>> >.
>> >
>
>
>.
>
|
|
|
|
|