Solved

When sending a sql command to the server over a network how secure is it?

Posted on 2014-09-19
10
159 Views
Last Modified: 2014-09-21
I am looking into writing some register software.  It will need to communicate with a SQL server over an open network.  What is the best approach to make it difficult for someone to intercept the SQL command and use it for nefarious actions. I will be using vb.net to write the software.
0
Comment
Question by:Millkind
  • 5
  • 4
10 Comments
 
LVL 29

Assisted Solution

by:Paul Jackson
Paul Jackson earned 150 total points
ID: 40332623
The simplest way to secure your sql statements over a network is to not send sql statements over a network. Instead write stored procedures that will be located on the sql server and call them with your vb.net code.
0
 
LVL 45

Expert Comment

by:Vitor Montalvão
ID: 40332655
I would be more focus on how to protect the SQL Server and the database. I don't think that if someone that wants to hack your system would look for SQL statements. What for (s)he would need that without having access to the database?
And if (s)he have access to the database (s)he can do whatever (s)he want. Wouldn't need your SQL commands for nothing.
0
 

Author Comment

by:Millkind
ID: 40332751
Wouldn't they be able to see the connection string and get the password from there?
0
 
LVL 45

Accepted Solution

by:
Vitor Montalvão earned 350 total points
ID: 40332769
Now you talking about the connection string. I thought you are concerned about SQL commands.
For the connection string you have a option that permits you to encrypt it but the more secure is to use windows authentication and then you'll be able to user integrated security so neither user and password will be in the connection string:
<connectionString="Data Source=ServerName;Integrated Security=SSPI;Initial Catalog=DatabaseName>
0
 

Author Comment

by:Millkind
ID: 40332793
Okay good to know.  Wasn't sure how to properly word my original question.  I thought that the sql statements and connection string got combined when a query was executed.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Millkind
ID: 40332841
If I use Integrated Security=SSPI and my network admins require each user on the register to log onto the machine it seems that each user will need to have access granted to the server.
0
 
LVL 45

Expert Comment

by:Vitor Montalvão
ID: 40332850
Not to the server. Users needs only to have permissions on application and database. There's no need to grant them access to any server. Always give the low permissions possible.
0
 

Author Comment

by:Millkind
ID: 40332868
Understood. However still means granting on average 50 people rights to the database at any one time.  Also with a turnover rate of 10 people every 6 months the over head. However that is the price for security.  I'm going to let this question open for a few more days in case something else comes up.
0
 

Author Comment

by:Millkind
ID: 40333116
It seems I could set up a service on the server and communicate to it from the application.  The communication would be encrypted. The service would do all the queries and just send responses based on the query run.  The service would communicate from the server to the server so should be pretty secure.
0
 
LVL 45

Expert Comment

by:Vitor Montalvão
ID: 40336022
If they are all AD users, then the easy way is to create a group in AD where those users will be added into. Then you'll only need to give permissions to that group in SQL Server so you won't need to add or remove more users in the future.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Parsing a CSV file is a task that we are confronted with regularly, and although there are a vast number of means to do this, as a newbie, the field can be confusing and the tools can seem complex. A simple solution to parsing a customized CSV fi…
SQL Server engine let you use a Windows account or a SQL Server account to connect to a SQL Server instance. This can be configured immediatly during the SQL Server installation or after in the Server Authentication section in the Server properties …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now