Solved

Web site connection

Posted on 2013-06-11
4
344 Views
Last Modified: 2013-06-11
This question is to establish best practice.

I am building a web application with php 5.3 and MS SQL Server 2012.

My question is what is the best most secure way to have the front end app call the procedures in the DB.

1. Do i create a windows account and give that windows user rights to the appropriate DB.

2. Do I create a SQL user and give proper rights

3. Is there another way maybe that I am not aware of.


Site Application will be dealing with money so best security is a must.

User login will be needed to get into site as well.. to do certain things. Not sure if this matters but wanted to make that point.

Any links or advice as what is most secure and the best industry practice would be great!

Thanks for your help in advance.
0
Comment
Question by:Leo Torres
  • 2
4 Comments
 
LVL 20

Accepted Solution

by:
Mark Brady earned 300 total points
ID: 39238627
The first thing I always do with a new database is create a user for it. You can assign permissions for that user and limit what they are allowed to see and modify. Your php scripts will be secure and can't be viewed by a web browser so you can put your login credentials in a script and include that script in any other php file you need to have DB access.

Just make sure you are cleaning any input data that comes from both users and your scripts. If you do any POST or GET calls to an api (script) you need to clean these on the backend as they can be tampered with.

Doing checks on the front end only is not secure. You must do them on the server side.

For faster page loading etc.. I recommend using ajax to make your calls to the backend. You can get information and not have to refresh/reload the entire webpage.  There's just a few points to help you out.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 200 total points
ID: 39238793
Create an SQL user and give only limited rights, those necessarily for the application to work.
0
 
LVL 8

Author Comment

by:Leo Torres
ID: 39239164
Thanks guys!
0
 
LVL 8

Author Comment

by:Leo Torres
ID: 39239173
Elvin,

when you say "You must do them on the server side"

is this in the php code or in the DB procedure code?

or which do you recommend?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
I have a large data set and a SSIS package. How can I load this file in multi threading?
The purpose of this video is to demonstrate how to prevent comment spam on a WordPress Website. This will be demonstrated using a Windows 8 PC. Plugin Akismet will be used. Go to your WordPress login page. This will look like the following: myw…
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now