Solved

Web site connection

Posted on 2013-06-11
4
349 Views
Last Modified: 2013-06-11
This question is to establish best practice.

I am building a web application with php 5.3 and MS SQL Server 2012.

My question is what is the best most secure way to have the front end app call the procedures in the DB.

1. Do i create a windows account and give that windows user rights to the appropriate DB.

2. Do I create a SQL user and give proper rights

3. Is there another way maybe that I am not aware of.


Site Application will be dealing with money so best security is a must.

User login will be needed to get into site as well.. to do certain things. Not sure if this matters but wanted to make that point.

Any links or advice as what is most secure and the best industry practice would be great!

Thanks for your help in advance.
0
Comment
Question by:Leo Torres
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 20

Accepted Solution

by:
Mark Brady earned 300 total points
ID: 39238627
The first thing I always do with a new database is create a user for it. You can assign permissions for that user and limit what they are allowed to see and modify. Your php scripts will be secure and can't be viewed by a web browser so you can put your login credentials in a script and include that script in any other php file you need to have DB access.

Just make sure you are cleaning any input data that comes from both users and your scripts. If you do any POST or GET calls to an api (script) you need to clean these on the backend as they can be tampered with.

Doing checks on the front end only is not secure. You must do them on the server side.

For faster page loading etc.. I recommend using ajax to make your calls to the backend. You can get information and not have to refresh/reload the entire webpage.  There's just a few points to help you out.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 200 total points
ID: 39238793
Create an SQL user and give only limited rights, those necessarily for the application to work.
0
 
LVL 8

Author Comment

by:Leo Torres
ID: 39239164
Thanks guys!
0
 
LVL 8

Author Comment

by:Leo Torres
ID: 39239173
Elvin,

when you say "You must do them on the server side"

is this in the php code or in the DB procedure code?

or which do you recommend?
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses four methods for overlaying images in a container on a web page
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
The purpose of this video is to demonstrate how to prevent comment spam on a WordPress Website. This will be demonstrated using a Windows 8 PC. Plugin Akismet will be used. Go to your WordPress login page. This will look like the following: myw…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question