Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

When sending a sql command to the server over a network how secure is it?

Posted on 2014-09-19
10
168 Views
Last Modified: 2014-09-21
I am looking into writing some register software.  It will need to communicate with a SQL server over an open network.  What is the best approach to make it difficult for someone to intercept the SQL command and use it for nefarious actions. I will be using vb.net to write the software.
0
Comment
Question by:Millkind
  • 5
  • 4
10 Comments
 
LVL 29

Assisted Solution

by:Paul Jackson
Paul Jackson earned 150 total points
ID: 40332623
The simplest way to secure your sql statements over a network is to not send sql statements over a network. Instead write stored procedures that will be located on the sql server and call them with your vb.net code.
0
 
LVL 48

Expert Comment

by:Vitor Montalvão
ID: 40332655
I would be more focus on how to protect the SQL Server and the database. I don't think that if someone that wants to hack your system would look for SQL statements. What for (s)he would need that without having access to the database?
And if (s)he have access to the database (s)he can do whatever (s)he want. Wouldn't need your SQL commands for nothing.
0
 

Author Comment

by:Millkind
ID: 40332751
Wouldn't they be able to see the connection string and get the password from there?
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 48

Accepted Solution

by:
Vitor Montalvão earned 350 total points
ID: 40332769
Now you talking about the connection string. I thought you are concerned about SQL commands.
For the connection string you have a option that permits you to encrypt it but the more secure is to use windows authentication and then you'll be able to user integrated security so neither user and password will be in the connection string:
<connectionString="Data Source=ServerName;Integrated Security=SSPI;Initial Catalog=DatabaseName>
0
 

Author Comment

by:Millkind
ID: 40332793
Okay good to know.  Wasn't sure how to properly word my original question.  I thought that the sql statements and connection string got combined when a query was executed.
0
 

Author Comment

by:Millkind
ID: 40332841
If I use Integrated Security=SSPI and my network admins require each user on the register to log onto the machine it seems that each user will need to have access granted to the server.
0
 
LVL 48

Expert Comment

by:Vitor Montalvão
ID: 40332850
Not to the server. Users needs only to have permissions on application and database. There's no need to grant them access to any server. Always give the low permissions possible.
0
 

Author Comment

by:Millkind
ID: 40332868
Understood. However still means granting on average 50 people rights to the database at any one time.  Also with a turnover rate of 10 people every 6 months the over head. However that is the price for security.  I'm going to let this question open for a few more days in case something else comes up.
0
 

Author Comment

by:Millkind
ID: 40333116
It seems I could set up a service on the server and communicate to it from the application.  The communication would be encrypted. The service would do all the queries and just send responses based on the query run.  The service would communicate from the server to the server so should be pretty secure.
0
 
LVL 48

Expert Comment

by:Vitor Montalvão
ID: 40336022
If they are all AD users, then the easy way is to create a group in AD where those users will be added into. Then you'll only need to give permissions to that group in SQL Server so you won't need to add or remove more users in the future.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
In this article we will get to know that how can we recover deleted data if it happens accidently. We really can recover deleted rows if we know the time when data is deleted by using the transaction log.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question