that's what I thought. I guess I'm going to recommend what you guys
suggested: Straight ADO db connection with SQL Srever mirroring. But what to
hec to do with that connections string... is there any way to secure it
enough whitin the application on user machine to convince them? Or maybe
retrieve connection string with web service?
"Andrew J. Kelly" <sqlmvpnooospam@.shadhawk.com> wrote in message
news:OifLlSQHIHA.4112@.TK2MSFTNGP05.phx.gbl...
> Well that depends on what you are doing. Asynchronous access to a database
> is not very useful for most user applications. If you are only talking
> about SQL Server as a back end to an app that just needs to load data such
> as a logging process this may be fine. But if it is a user interface app
> and the user expects to see data back these techniques don't work well.
> Don't get me wrong things like Service Broker have a definite place and
> work great for what they were designed to do. But you can't front end a
> database server with these tools and expect them to work like a database
> server. I just got off a large project where we had to completely rewrite
> an app that made extensive use of web services because it couldn't scale
> as written and simply was the wrong tool for the job in this case.
> Management needs to define what their goals are first and then decide what
> the best tools for the job are, not the other way around.
> --
> Andrew J. Kelly SQL MVP
> Solid Quality Mentors
>
> "Andy" <kc2ine@.yahoo.com> wrote in message
> news:%23y6juKOHIHA.4880@.TK2MSFTNGP03.phx.gbl...
>
Now we didn't really recommend anything since we don't know your actual
requirements. Why not use Windows authentication and you don't have to worry
about showing any sensitive data.
Andrew J. Kelly SQL MVP
Solid Quality Mentors
"Andy" <kc2ine@.yahoo.com> wrote in message
news:uLB18nQHIHA.4196@.TK2MSFTNGP04.phx.gbl...
> that's what I thought. I guess I'm going to recommend what you guys
> suggested: Straight ADO db connection with SQL Srever mirroring. But what
> to hec to do with that connections string... is there any way to secure it
> enough whitin the application on user machine to convince them? Or maybe
> retrieve connection string with web service?
> "Andrew J. Kelly" <sqlmvpnooospam@.shadhawk.com> wrote in message
> news:OifLlSQHIHA.4112@.TK2MSFTNGP05.phx.gbl...
>
|||Andy,
I suggest taking the secure road here. Yes, the connection string is a
key to SQL Server content--it can unlock the door to the entire server and
all of its data or to a single closet that contains just the data your
application needs. I suggest the latter as a security strategy. The
ConnectionString is not going to be visible to the end user unless you give
them the source code. Yes, there are programs to decompile the program, but
those are easily defeated with a couple of techniques. There are also ways
to encrypt the ConnectionString supported in VS 2005. However, if the
ConnectionString credentials only grant access to the few stored procedures
or views that are used by the application, the exposure is minimal. Of
course, this assumes that the application is written using this approach.
I would be available to come talk to your management team about this and
other related issues. We could even do this over a conference call.
hth
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant, Dad, Grandpa
Microsoft MVP
INETA Speaker
www.betav.com
www.betav.com/blog/billva
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
------
"Andy" <kc2ine@.yahoo.com> wrote in message
news:uLB18nQHIHA.4196@.TK2MSFTNGP04.phx.gbl...
> that's what I thought. I guess I'm going to recommend what you guys
> suggested: Straight ADO db connection with SQL Srever mirroring. But what
> to hec to do with that connections string... is there any way to secure it
> enough whitin the application on user machine to convince them? Or maybe
> retrieve connection string with web service?
> "Andrew J. Kelly" <sqlmvpnooospam@.shadhawk.com> wrote in message
> news:OifLlSQHIHA.4112@.TK2MSFTNGP05.phx.gbl...
>
No comments:
Post a Comment