Go Premium for a chance to win a PS4. Enter to Win

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 524
  • Last Modified:

Delphi ISAPI Application Using SQL Server


I'm trying do develop an ISAPI Application using Delphi 7 Professional using MS SQL Server.
I put one TADOConnection whose I configured to the database to be used, tested it and it setting True to Connected property and it worked fine. Also, put a TADOQuery component and set the Connection property to the connection just configured. I have tested a complex sql command in the SQL Query window and it worked fine too.

But the application do not run fine unless it is removed the code that relies database acess.

If anyone can help me thanks in advance.

1 Solution

I am having the same problem and searched internet but still could not find a  solution yet.
This have may something to do with your ConnectionString.
Are you using Windows NT Integrated Security?
If so, then your ISAPI will use your Web Server Local Security Account (IUSR_[ComputerName] or IWAM_[ComputerName]).  If your Web Server is on the same Server as your SQL Server , then you could add these Local Accounts into your SQL Server.

However, if your Web Server is on a different Server to you SQL Server, then create an Account on your SQL Server for example "iWebUser".  Use this Account in your ConnectionString to access your SQL Server.

Provider=SQLOLEDB.1;Password=[Password];Persist Security Info=True;User ID=iWebUser;Initial Catalog=[DatabaseName];Data Source=[SQLServerName]

Personally, I always use a SQL Server Account to Connect my ISAPI WebApps to my database.

Wim ten BrinkCommented:
As Russell says, this is most likely a security issue. Keep in mind that normally, a user who connects to an ISAPI DLL will be logged in on the webserver as an anonimous user with very limited access rights. One solution to get around this is to go to the IIS configuration of your website and in Directory security turn off the Anonimous Access account. Thus any user who connects to your server must log in. And if you enabled the Integrated Windows security for the webserver, the user does not even have to enter username/password as long as he is in the same domain as the webserver. Otherwise he gets a simple logon dialog before he's allowed to see the page.

Russell provided the other solution, which is: create a database user account and do not use integrated security for your connection. The disadvantage for this is that all web users have the same database access rights. Of course, you could also first ask the user to provide username and password first before allowing them access...
The use of a generic database account for all web users is that none of these users need to know the password to access the database. From a security point of view, this is very useful because this way no user can use his own credentials to access the database outside the website. A good security measure. The disadvantage is of course that many administrators forget to change the password for this database account on a regular basis so the password might be valid for years. So make sure the connection string used is configurable. E.g. a registry setting or INI file key value.

Keep in mind that a webserver application always has very limited system access. For example, you might not have access to the network or to the registry and you might not even be able to see all the files in the system. You're dealing with security here and this can make things quite difficult sometimes.
AdaoPaulinoAuthor Commented:
Hi Guys,

I'm worn out. I've tried to use your suggestions, but all still not running. Looking at the tips I want to list some features of my environment:
- Windows 2000 Server Service Pack 4;
- SQL Server 2000;
- Web server and SQL Server in the same machine;
- In the configuration of SQL Server (Edit SQL Server Registration/Properties)  checked the option "Use Windows Authentication";
- checked "Annonimous Access" in the Security Pallete of the IIS configuration, where I've tried to use the local security account (IUSR_....) letting password control to IIS. But I've filled the username with another user/password  of Windows too.

I think I'm confusing now because I tried almost all and nothing go ok.

I thanks to your help until now, but I'd like to ask you for more suggestions or correction of anything wrong I doing.

We'll talk later.
AdaoPaulinoAuthor Commented:
Hi Guys,

After several tentatives and analyses about you said I do this:

- unchecked the annonimous acess in the configuration of Web Server;
- checked Windows integrated authentication;
- set SQL Server to Windows Integrated Security (only Windows);
- in the connection string elminate User ID and Password.

However, this is good for this experience. Later, when I'll have SQL Server and Web Server in distincts machines I hope I must check annonimous access and change the connection string.  What do you think about it?

Thank you very much.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now