Delphi ISAPI Application Using SQL Server

Posted on 2003-10-23
Last Modified: 2010-04-05

I'm trying do develop an ISAPI Application using Delphi 7 Professional using MS SQL Server.
I put one TADOConnection whose I configured to the database to be used, tested it and it setting True to Connected property and it worked fine. Also, put a TADOQuery component and set the Connection property to the connection just configured. I have tested a complex sql command in the SQL Query window and it worked fine too.

But the application do not run fine unless it is removed the code that relies database acess.

If anyone can help me thanks in advance.

Question by:AdaoPaulino

Expert Comment

ID: 9612608

I am having the same problem and searched internet but still could not find a  solution yet.

Accepted Solution

StayGreedy earned 125 total points
ID: 9613275
This have may something to do with your ConnectionString.
Are you using Windows NT Integrated Security?
If so, then your ISAPI will use your Web Server Local Security Account (IUSR_[ComputerName] or IWAM_[ComputerName]).  If your Web Server is on the same Server as your SQL Server , then you could add these Local Accounts into your SQL Server.

However, if your Web Server is on a different Server to you SQL Server, then create an Account on your SQL Server for example "iWebUser".  Use this Account in your ConnectionString to access your SQL Server.

Provider=SQLOLEDB.1;Password=[Password];Persist Security Info=True;User ID=iWebUser;Initial Catalog=[DatabaseName];Data Source=[SQLServerName]

Personally, I always use a SQL Server Account to Connect my ISAPI WebApps to my database.

LVL 17

Expert Comment

by:Wim ten Brink
ID: 9613415
As Russell says, this is most likely a security issue. Keep in mind that normally, a user who connects to an ISAPI DLL will be logged in on the webserver as an anonimous user with very limited access rights. One solution to get around this is to go to the IIS configuration of your website and in Directory security turn off the Anonimous Access account. Thus any user who connects to your server must log in. And if you enabled the Integrated Windows security for the webserver, the user does not even have to enter username/password as long as he is in the same domain as the webserver. Otherwise he gets a simple logon dialog before he's allowed to see the page.

Russell provided the other solution, which is: create a database user account and do not use integrated security for your connection. The disadvantage for this is that all web users have the same database access rights. Of course, you could also first ask the user to provide username and password first before allowing them access...
The use of a generic database account for all web users is that none of these users need to know the password to access the database. From a security point of view, this is very useful because this way no user can use his own credentials to access the database outside the website. A good security measure. The disadvantage is of course that many administrators forget to change the password for this database account on a regular basis so the password might be valid for years. So make sure the connection string used is configurable. E.g. a registry setting or INI file key value.

Keep in mind that a webserver application always has very limited system access. For example, you might not have access to the network or to the registry and you might not even be able to see all the files in the system. You're dealing with security here and this can make things quite difficult sometimes.

Author Comment

ID: 9616257
Hi Guys,

I'm worn out. I've tried to use your suggestions, but all still not running. Looking at the tips I want to list some features of my environment:
- Windows 2000 Server Service Pack 4;
- SQL Server 2000;
- Web server and SQL Server in the same machine;
- In the configuration of SQL Server (Edit SQL Server Registration/Properties)  checked the option "Use Windows Authentication";
- checked "Annonimous Access" in the Security Pallete of the IIS configuration, where I've tried to use the local security account (IUSR_....) letting password control to IIS. But I've filled the username with another user/password  of Windows too.

I think I'm confusing now because I tried almost all and nothing go ok.

I thanks to your help until now, but I'd like to ask you for more suggestions or correction of anything wrong I doing.

We'll talk later.

Author Comment

ID: 9623417
Hi Guys,

After several tentatives and analyses about you said I do this:

- unchecked the annonimous acess in the configuration of Web Server;
- checked Windows integrated authentication;
- set SQL Server to Windows Integrated Security (only Windows);
- in the connection string elminate User ID and Password.

However, this is good for this experience. Later, when I'll have SQL Server and Web Server in distincts machines I hope I must check annonimous access and change the connection string.  What do you think about it?

Thank you very much.

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A lot of questions regard threads in Delphi.   One of the more specific questions is how to show progress of the thread.   Updating a progressbar from inside a thread is a mistake. A solution to this would be to send a synchronized message to the…
Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question