?
Solved

When sending a sql command to the server over a network how secure is it?

Posted on 2014-09-19
10
Medium Priority
?
173 Views
Last Modified: 2014-09-21
I am looking into writing some register software.  It will need to communicate with a SQL server over an open network.  What is the best approach to make it difficult for someone to intercept the SQL command and use it for nefarious actions. I will be using vb.net to write the software.
0
Comment
Question by:Millkind
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 29

Assisted Solution

by:Paul Jackson
Paul Jackson earned 600 total points
ID: 40332623
The simplest way to secure your sql statements over a network is to not send sql statements over a network. Instead write stored procedures that will be located on the sql server and call them with your vb.net code.
0
 
LVL 51

Expert Comment

by:Vitor Montalvão
ID: 40332655
I would be more focus on how to protect the SQL Server and the database. I don't think that if someone that wants to hack your system would look for SQL statements. What for (s)he would need that without having access to the database?
And if (s)he have access to the database (s)he can do whatever (s)he want. Wouldn't need your SQL commands for nothing.
0
 

Author Comment

by:Millkind
ID: 40332751
Wouldn't they be able to see the connection string and get the password from there?
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 51

Accepted Solution

by:
Vitor Montalvão earned 1400 total points
ID: 40332769
Now you talking about the connection string. I thought you are concerned about SQL commands.
For the connection string you have a option that permits you to encrypt it but the more secure is to use windows authentication and then you'll be able to user integrated security so neither user and password will be in the connection string:
<connectionString="Data Source=ServerName;Integrated Security=SSPI;Initial Catalog=DatabaseName>
0
 

Author Comment

by:Millkind
ID: 40332793
Okay good to know.  Wasn't sure how to properly word my original question.  I thought that the sql statements and connection string got combined when a query was executed.
0
 

Author Comment

by:Millkind
ID: 40332841
If I use Integrated Security=SSPI and my network admins require each user on the register to log onto the machine it seems that each user will need to have access granted to the server.
0
 
LVL 51

Expert Comment

by:Vitor Montalvão
ID: 40332850
Not to the server. Users needs only to have permissions on application and database. There's no need to grant them access to any server. Always give the low permissions possible.
0
 

Author Comment

by:Millkind
ID: 40332868
Understood. However still means granting on average 50 people rights to the database at any one time.  Also with a turnover rate of 10 people every 6 months the over head. However that is the price for security.  I'm going to let this question open for a few more days in case something else comes up.
0
 

Author Comment

by:Millkind
ID: 40333116
It seems I could set up a service on the server and communicate to it from the application.  The communication would be encrypted. The service would do all the queries and just send responses based on the query run.  The service would communicate from the server to the server so should be pretty secure.
0
 
LVL 51

Expert Comment

by:Vitor Montalvão
ID: 40336022
If they are all AD users, then the easy way is to create a group in AD where those users will be added into. Then you'll only need to give permissions to that group in SQL Server so you won't need to add or remove more users in the future.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi all, It is important and often overlooked to understand “Database properties”. Often we see questions about "log files" or "where is the database" and one of the easiest ways to get general information about your database is to use “Database p…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question