Solved

Web site connection

Posted on 2013-06-11
4
347 Views
Last Modified: 2013-06-11
This question is to establish best practice.

I am building a web application with php 5.3 and MS SQL Server 2012.

My question is what is the best most secure way to have the front end app call the procedures in the DB.

1. Do i create a windows account and give that windows user rights to the appropriate DB.

2. Do I create a SQL user and give proper rights

3. Is there another way maybe that I am not aware of.


Site Application will be dealing with money so best security is a must.

User login will be needed to get into site as well.. to do certain things. Not sure if this matters but wanted to make that point.

Any links or advice as what is most secure and the best industry practice would be great!

Thanks for your help in advance.
0
Comment
Question by:Leo Torres
  • 2
4 Comments
 
LVL 20

Accepted Solution

by:
Mark Brady earned 300 total points
ID: 39238627
The first thing I always do with a new database is create a user for it. You can assign permissions for that user and limit what they are allowed to see and modify. Your php scripts will be secure and can't be viewed by a web browser so you can put your login credentials in a script and include that script in any other php file you need to have DB access.

Just make sure you are cleaning any input data that comes from both users and your scripts. If you do any POST or GET calls to an api (script) you need to clean these on the backend as they can be tampered with.

Doing checks on the front end only is not secure. You must do them on the server side.

For faster page loading etc.. I recommend using ajax to make your calls to the backend. You can get information and not have to refresh/reload the entire webpage.  There's just a few points to help you out.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 200 total points
ID: 39238793
Create an SQL user and give only limited rights, those necessarily for the application to work.
0
 
LVL 8

Author Comment

by:Leo Torres
ID: 39239164
Thanks guys!
0
 
LVL 8

Author Comment

by:Leo Torres
ID: 39239173
Elvin,

when you say "You must do them on the server side"

is this in the php code or in the DB procedure code?

or which do you recommend?
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question