Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Web site connection

Posted on 2013-06-11
4
Medium Priority
?
359 Views
Last Modified: 2013-06-11
This question is to establish best practice.

I am building a web application with php 5.3 and MS SQL Server 2012.

My question is what is the best most secure way to have the front end app call the procedures in the DB.

1. Do i create a windows account and give that windows user rights to the appropriate DB.

2. Do I create a SQL user and give proper rights

3. Is there another way maybe that I am not aware of.


Site Application will be dealing with money so best security is a must.

User login will be needed to get into site as well.. to do certain things. Not sure if this matters but wanted to make that point.

Any links or advice as what is most secure and the best industry practice would be great!

Thanks for your help in advance.
0
Comment
Question by:Leo Torres
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 20

Accepted Solution

by:
Mark Brady earned 1200 total points
ID: 39238627
The first thing I always do with a new database is create a user for it. You can assign permissions for that user and limit what they are allowed to see and modify. Your php scripts will be secure and can't be viewed by a web browser so you can put your login credentials in a script and include that script in any other php file you need to have DB access.

Just make sure you are cleaning any input data that comes from both users and your scripts. If you do any POST or GET calls to an api (script) you need to clean these on the backend as they can be tampered with.

Doing checks on the front end only is not secure. You must do them on the server side.

For faster page loading etc.. I recommend using ajax to make your calls to the backend. You can get information and not have to refresh/reload the entire webpage.  There's just a few points to help you out.
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 800 total points
ID: 39238793
Create an SQL user and give only limited rights, those necessarily for the application to work.
0
 
LVL 8

Author Comment

by:Leo Torres
ID: 39239164
Thanks guys!
0
 
LVL 8

Author Comment

by:Leo Torres
ID: 39239173
Elvin,

when you say "You must do them on the server side"

is this in the php code or in the DB procedure code?

or which do you recommend?
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
When trying to connect from SSMS v17.x to a SQL Server Integration Services 2016 instance or previous version, you get the error “Connecting to the Integration Services service on the computer failed with the following error: 'The specified service …
The purpose of this video is to demonstrate how to Import and export files in WordPress. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Click on Too…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question