Solved

When sending a sql command to the server over a network how secure is it?

Posted on 2014-09-19
10
169 Views
Last Modified: 2014-09-21
I am looking into writing some register software.  It will need to communicate with a SQL server over an open network.  What is the best approach to make it difficult for someone to intercept the SQL command and use it for nefarious actions. I will be using vb.net to write the software.
0
Comment
Question by:Millkind
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 29

Assisted Solution

by:Paul Jackson
Paul Jackson earned 150 total points
ID: 40332623
The simplest way to secure your sql statements over a network is to not send sql statements over a network. Instead write stored procedures that will be located on the sql server and call them with your vb.net code.
0
 
LVL 49

Expert Comment

by:Vitor Montalvão
ID: 40332655
I would be more focus on how to protect the SQL Server and the database. I don't think that if someone that wants to hack your system would look for SQL statements. What for (s)he would need that without having access to the database?
And if (s)he have access to the database (s)he can do whatever (s)he want. Wouldn't need your SQL commands for nothing.
0
 

Author Comment

by:Millkind
ID: 40332751
Wouldn't they be able to see the connection string and get the password from there?
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 49

Accepted Solution

by:
Vitor Montalvão earned 350 total points
ID: 40332769
Now you talking about the connection string. I thought you are concerned about SQL commands.
For the connection string you have a option that permits you to encrypt it but the more secure is to use windows authentication and then you'll be able to user integrated security so neither user and password will be in the connection string:
<connectionString="Data Source=ServerName;Integrated Security=SSPI;Initial Catalog=DatabaseName>
0
 

Author Comment

by:Millkind
ID: 40332793
Okay good to know.  Wasn't sure how to properly word my original question.  I thought that the sql statements and connection string got combined when a query was executed.
0
 

Author Comment

by:Millkind
ID: 40332841
If I use Integrated Security=SSPI and my network admins require each user on the register to log onto the machine it seems that each user will need to have access granted to the server.
0
 
LVL 49

Expert Comment

by:Vitor Montalvão
ID: 40332850
Not to the server. Users needs only to have permissions on application and database. There's no need to grant them access to any server. Always give the low permissions possible.
0
 

Author Comment

by:Millkind
ID: 40332868
Understood. However still means granting on average 50 people rights to the database at any one time.  Also with a turnover rate of 10 people every 6 months the over head. However that is the price for security.  I'm going to let this question open for a few more days in case something else comes up.
0
 

Author Comment

by:Millkind
ID: 40333116
It seems I could set up a service on the server and communicate to it from the application.  The communication would be encrypted. The service would do all the queries and just send responses based on the query run.  The service would communicate from the server to the server so should be pretty secure.
0
 
LVL 49

Expert Comment

by:Vitor Montalvão
ID: 40336022
If they are all AD users, then the easy way is to create a group in AD where those users will be added into. Then you'll only need to give permissions to that group in SQL Server so you won't need to add or remove more users in the future.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article I will describe the Copy Database Wizard method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question