|
stupiddumbguy wrote: I agree partially with Colin. Allowing raw sql from the internet is effectively granting hackers full control to your database. But accessing data for your application through a narrow set of specially secured stored procedures isn't any better. I consider this a false sense of security.
I never once said this was the be-all-and-end-all of SQL Security. It is only one part of defence against attack, and it was was a single part that was in context with the original question asked. I, perhaps, did not explain that the access to the stored procedures were through the web service. The web serive, as you explained can "act as a gateway into your database.".
stupiddumbguy wrote: Enforcing security in your application by applying additional security requirements does not make your application secure. If anything, it's worse because the surface of your application is wider.
Either I am missing something or I am misinterpreting what you are saying here. How does locking off access to tables, and views, widen the attack surface of the application?
|
|
|
|
|
Colin, you're absolutely right. This is only one of many different steps Geert should take to ensure he is able to expose his data as a web service without giving away the keys to the castle. I think what Geert was asking was to find the shortest route to expose the data, and your method is the most direct.
Perhaps I misunderstood your comment, but to clarify, I'm going to assume the worst so that I can illustrate two different approaches and their impact on security.
The first (what I assumed you meant), was to create a very generic web-service that allows Geert to call any stored-procedure of his willing. While there is some benefit that this is generic code that could be used in many different ways, this is also the biggest downfall of this approach. By allowing any stored procedure to be executed you can't predict which stored procedures will be executed. That's a pretty big hole which requires you to lock down every object in your database. My point was, that if you need to do this in order to make your application secure, then by design, this is not a secure design. We as modern application designers should strive to write secure code and not be dependant on the infrastructure configuration to save us.
The second approach (my recommendation) was to abstract the details of the stored procedure away from the client application. Under this design, the web-service exposes some general input parameters but its implementation does the stored-procedure logic for you. This has a smaller security surface because you're not exposing the database directly to the caller.
|
|
|
|
|
Why not use business objects at the webservices like DeKlarit (although you need to buy it), but some sort of ORM at the webservice, this will de-couple the database from the webservices to start with, then transfer datasets to and from the webservice. when you want something from the server call a function on the dataadapter interface (interfaces only required on client) let the web service fill the dataset then bind it at the client.
viola
g00fy
|
|
|
|
|
Disable save as and print button of ie
kunal b padia
|
|
|
|
|
Why would you want to do that?
What irritates me is the half-assed attempts to disable things in the browser. For example, my company's intranet does not allow me to right-click on things. However I can press the context-menu button on the keyboard for the exact same effect.
|
|
|
|
|
here here
it is almost as annoying as all that popup crap getting around.
g00fy
|
|
|
|
|
In ASP.NET 1.1. I am having a template checkbox column in a dynamically created datagrid. Inorder to maintain the viewstate, i initialize the datagrid in Page_Init itself and modify the datagrid through Ajax Function. The Ajax function will modify the enabled property of checkboxes. After AJAX method is invoked, in next Postback, i'm able to get the checked property of checkbox from Viewstate but not able to get the enabled property from viewstate. But if i don't perform Ajax Modification, in postback i'm able to get both enabled and checked property.
Kindly provide any idea regarding why enabled property is not in viewstate after using AJAX Function
Maha
|
|
|
|
|
I need a good host supporting ASP.NET 2.0 and MySQL 5.
Now, it's a jungle out there, and I'm afraid of choosing something crappy, hence me asking for your advice/recommendation. I'd much rather pay more for better quality.
So, what do you say?
|
|
|
|
|
Hi!
I have hosted my web site at www.discountasp.net. I strongly suggest you to check the web site because they have outstanding services in affordable prices. I have had no problem with them at all.
JUNEYT
|
|
|
|
|
|
hello folks,this is basically my first question. help me out
i have created a system running clock in javascript
and am able to display the value on the page by the document property...
by calling a function in loop...
can u tell me how to display this value in the textbox...the code is
Ish Kumar Kapila
|
|
|
|
|
Hi!
Because you haven't defined a name for the input box. Just define a name such as name="box1" and then use the ID with document.form.box1.value statement in the function.
|
|
|
|
|
sorry buddy it did not worked... see the new code
<!--
<html>
<head>
<script>
function time()
{
var d=new Date()
var h=d.getHours()
var m=d.getMinutes()
var s=d.getSeconds()
var ms=d.getMilliseconds()
var w=document.getElementById('txt').innerHTML=h+":"+m+":"+s+":"+ms //check it
t=setTimeout('time()',50)
document.form.tb1.value=w // check it
}
</script>
</head>
<body onload="time()" >
<div id="txt"></div>
<input type="text" id="tb1" >
</body>
</html>
//-->
help me guys...
Ish Kumar Kapila
|
|
|
|
|
If you define a form object it can work out. After tag define a form object
|
|
|
|
|
Still nothing happened buddy. is the problem so complex to solve..
plz try again ... thanx for the effort
<!--
<html>
<head>
<script type="text/javascript">
function time()
{
var d=new Date()
var h=d.getHours()
var m=d.getMinutes()
var s=d.getSeconds()
var ms=d.getMilliseconds()
document.getElementById('txt').innerHTML=h+":"+m+":"+s+":"+ms
t=setTimeout('time()',50)
document.tb1.value=t
}
</script>
</head>
<body onload="time()" >
<FORM name="form" method="POST"></FORM>
<div id="txt"></div>
<input type="text" id="tb1" ></input>
</body>
</html>
-->
try something new
Ish Kumar Kapila
|
|
|
|
|
Hi!
I just fixed the code for you. There were a few mistakes. Copy and paste the whole code below in to a page and then load the page. I have checked it and it is working...
<title>New Page 1
function time()
{
var d=new Date()
var h=d.getHours()
var m=d.getMinutes()
var s=d.getSeconds()
var ms=d.getMilliseconds()
document.getElementById('txt').innerHTML=h+":"+m+":"+s+":"+ms
t=setTimeout('time()',50)
document.form.tbox.value=t
}
|
|
|
|
|
how can i enable debugging in web service?
my client cannot access the service if i create it in the wwwroot\folder\service... however it can access it wwwroot\service like this can i get a logical reason for this
B U
|
|
|
|
|
Hi, i have an aspx page containing 7 user controls now i have 5 actors in my app , against each user i have certain function defined, now based on these function i have to either make a control's visibility true/false or enable/disable a control and the roles and the function corresponding to them r defined in an xml file.
i am not able to figure out how to go about it any help/suggestion are welcome
|
|
|
|
|
This is a snippet from my page:
I need some javascript that can check if the id query string is in the
action attribute, and if it is, remove it so the form element will look
like this:
Thanks.
/\ |_ E X E GG
|
|
|
|
|
You can use a regular expression like /(\?|&)id=(.*?)(&|$)/ to check for the attribute and remove it.
---
b { font-weight: normal; }
|
|
|
|
|
COM Error Number: -2147467259 (0x80004005)
Line Number: 97
Column Number: -1
Brief Description: Method '~' of object '~' failed
Can any one explain me what could be the possible reasons.
This code is generated when asp application is run, a call to specific file is causing the problem. a dll is also used in these pages,
when this application is run by below 5 hits its running fine. but when the load increased to 10 the error is generated
|
|
|
|
|
anybody plz send some dotnet projects with explanation its very urgent for me to get a job
|
|
|
|
|
Don't mind but what will you do with others projects??? Those projects will not help in your job but ya it will be very harmful for your carrier.
And though you want readymade .NET project then you can get it from this site itself. Just see up here is one green bar where .NET is mentioned. you just go from it.
And All the best for your job.
|
|
|
|
|
hiral_shah wrote: carrier
Career
Similar sound - very different meaning
|
|
|
|
|
Hi!
I have one global.asa file under root directory and I have defined a few application variables. Application("Visitors") keeps the total count for visitors. However, it is getting resetted every day. I wonder if it is caused because resetting the IIS.
If you enlighten me about it, I would really appreciate it.
Thanks!
Sub Application_OnStart
Application.Lock
Application("Visitors") = 0
Application("CurrentVisitors") = 0
Application.UnLock
End Sub
Sub Session_OnStart
Application.Lock
Application("CurrentVisitors") = Application("CurrentVisitors") + 1
Application("Visitors") = Application("Visitors") + 1
Application.UnLock
End Sub
Sub Session_OnEnd
Application.Lock
Application("CurrentVisitors") = Application("CurrentVisitors") - 1
Application.UnLock
End Sub
|
|
|
|