Solved

Delphi ISAPI Application Using SQL Server

Posted on 2003-10-23
5
476 Views
Last Modified: 2010-04-05
Hello,

I'm trying do develop an ISAPI Application using Delphi 7 Professional using MS SQL Server.
I put one TADOConnection whose I configured to the database to be used, tested it and it setting True to Connected property and it worked fine. Also, put a TADOQuery component and set the Connection property to the connection just configured. I have tested a complex sql command in the SQL Query window and it worked fine too.

But the application do not run fine unless it is removed the code that relies database acess.

If anyone can help me thanks in advance.

Adão.
0
Comment
Question by:AdaoPaulino
5 Comments
 
LVL 1

Expert Comment

by:new_x
ID: 9612608

I am having the same problem and searched internet but still could not find a  solution yet.
0
 
LVL 1

Accepted Solution

by:
StayGreedy earned 125 total points
ID: 9613275
This have may something to do with your ConnectionString.
Are you using Windows NT Integrated Security?
If so, then your ISAPI will use your Web Server Local Security Account (IUSR_[ComputerName] or IWAM_[ComputerName]).  If your Web Server is on the same Server as your SQL Server , then you could add these Local Accounts into your SQL Server.

However, if your Web Server is on a different Server to you SQL Server, then create an Account on your SQL Server for example "iWebUser".  Use this Account in your ConnectionString to access your SQL Server.

Provider=SQLOLEDB.1;Password=[Password];Persist Security Info=True;User ID=iWebUser;Initial Catalog=[DatabaseName];Data Source=[SQLServerName]

Personally, I always use a SQL Server Account to Connect my ISAPI WebApps to my database.

Russell
0
 
LVL 17

Expert Comment

by:Wim ten Brink
ID: 9613415
As Russell says, this is most likely a security issue. Keep in mind that normally, a user who connects to an ISAPI DLL will be logged in on the webserver as an anonimous user with very limited access rights. One solution to get around this is to go to the IIS configuration of your website and in Directory security turn off the Anonimous Access account. Thus any user who connects to your server must log in. And if you enabled the Integrated Windows security for the webserver, the user does not even have to enter username/password as long as he is in the same domain as the webserver. Otherwise he gets a simple logon dialog before he's allowed to see the page.

Russell provided the other solution, which is: create a database user account and do not use integrated security for your connection. The disadvantage for this is that all web users have the same database access rights. Of course, you could also first ask the user to provide username and password first before allowing them access...
The use of a generic database account for all web users is that none of these users need to know the password to access the database. From a security point of view, this is very useful because this way no user can use his own credentials to access the database outside the website. A good security measure. The disadvantage is of course that many administrators forget to change the password for this database account on a regular basis so the password might be valid for years. So make sure the connection string used is configurable. E.g. a registry setting or INI file key value.

Keep in mind that a webserver application always has very limited system access. For example, you might not have access to the network or to the registry and you might not even be able to see all the files in the system. You're dealing with security here and this can make things quite difficult sometimes.
0
 

Author Comment

by:AdaoPaulino
ID: 9616257
Hi Guys,

I'm worn out. I've tried to use your suggestions, but all still not running. Looking at the tips I want to list some features of my environment:
- Windows 2000 Server Service Pack 4;
- SQL Server 2000;
- Web server and SQL Server in the same machine;
- In the configuration of SQL Server (Edit SQL Server Registration/Properties)  checked the option "Use Windows Authentication";
- checked "Annonimous Access" in the Security Pallete of the IIS configuration, where I've tried to use the local security account (IUSR_....) letting password control to IIS. But I've filled the username with another user/password  of Windows too.

I think I'm confusing now because I tried almost all and nothing go ok.

I thanks to your help until now, but I'd like to ask you for more suggestions or correction of anything wrong I doing.

We'll talk later.
0
 

Author Comment

by:AdaoPaulino
ID: 9623417
Hi Guys,

After several tentatives and analyses about you said I do this:

- unchecked the annonimous acess in the configuration of Web Server;
- checked Windows integrated authentication;
- set SQL Server to Windows Integrated Security (only Windows);
- in the connection string elminate User ID and Password.

However, this is good for this experience. Later, when I'll have SQL Server and Web Server in distincts machines I hope I must check annonimous access and change the connection string.  What do you think about it?

Thank you very much.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This article explains how to create forms/units independent of other forms/units object names in a delphi project. Have you ever created a form for user input in a Delphi project and then had the need to have that same form in a other Delphi proj…
Creating an auto free TStringList The TStringList is a basic and frequently used object in Delphi. On many occasions, you may want to create a temporary list, process some items in the list and be done with the list. In such cases, you have to…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now