Solved

Web site connection

Posted on 2013-06-11
4
351 Views
Last Modified: 2013-06-11
This question is to establish best practice.

I am building a web application with php 5.3 and MS SQL Server 2012.

My question is what is the best most secure way to have the front end app call the procedures in the DB.

1. Do i create a windows account and give that windows user rights to the appropriate DB.

2. Do I create a SQL user and give proper rights

3. Is there another way maybe that I am not aware of.


Site Application will be dealing with money so best security is a must.

User login will be needed to get into site as well.. to do certain things. Not sure if this matters but wanted to make that point.

Any links or advice as what is most secure and the best industry practice would be great!

Thanks for your help in advance.
0
Comment
Question by:Leo Torres
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 20

Accepted Solution

by:
Mark Brady earned 300 total points
ID: 39238627
The first thing I always do with a new database is create a user for it. You can assign permissions for that user and limit what they are allowed to see and modify. Your php scripts will be secure and can't be viewed by a web browser so you can put your login credentials in a script and include that script in any other php file you need to have DB access.

Just make sure you are cleaning any input data that comes from both users and your scripts. If you do any POST or GET calls to an api (script) you need to clean these on the backend as they can be tampered with.

Doing checks on the front end only is not secure. You must do them on the server side.

For faster page loading etc.. I recommend using ajax to make your calls to the backend. You can get information and not have to refresh/reload the entire webpage.  There's just a few points to help you out.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 200 total points
ID: 39238793
Create an SQL user and give only limited rights, those necessarily for the application to work.
0
 
LVL 8

Author Comment

by:Leo Torres
ID: 39239164
Thanks guys!
0
 
LVL 8

Author Comment

by:Leo Torres
ID: 39239173
Elvin,

when you say "You must do them on the server side"

is this in the php code or in the DB procedure code?

or which do you recommend?
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question