Solved

When sending a sql command to the server over a network how secure is it?

Posted on 2014-09-19
10
171 Views
Last Modified: 2014-09-21
I am looking into writing some register software.  It will need to communicate with a SQL server over an open network.  What is the best approach to make it difficult for someone to intercept the SQL command and use it for nefarious actions. I will be using vb.net to write the software.
0
Comment
Question by:Millkind
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 29

Assisted Solution

by:Paul Jackson
Paul Jackson earned 150 total points
ID: 40332623
The simplest way to secure your sql statements over a network is to not send sql statements over a network. Instead write stored procedures that will be located on the sql server and call them with your vb.net code.
0
 
LVL 50

Expert Comment

by:Vitor Montalvão
ID: 40332655
I would be more focus on how to protect the SQL Server and the database. I don't think that if someone that wants to hack your system would look for SQL statements. What for (s)he would need that without having access to the database?
And if (s)he have access to the database (s)he can do whatever (s)he want. Wouldn't need your SQL commands for nothing.
0
 

Author Comment

by:Millkind
ID: 40332751
Wouldn't they be able to see the connection string and get the password from there?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 50

Accepted Solution

by:
Vitor Montalvão earned 350 total points
ID: 40332769
Now you talking about the connection string. I thought you are concerned about SQL commands.
For the connection string you have a option that permits you to encrypt it but the more secure is to use windows authentication and then you'll be able to user integrated security so neither user and password will be in the connection string:
<connectionString="Data Source=ServerName;Integrated Security=SSPI;Initial Catalog=DatabaseName>
0
 

Author Comment

by:Millkind
ID: 40332793
Okay good to know.  Wasn't sure how to properly word my original question.  I thought that the sql statements and connection string got combined when a query was executed.
0
 

Author Comment

by:Millkind
ID: 40332841
If I use Integrated Security=SSPI and my network admins require each user on the register to log onto the machine it seems that each user will need to have access granted to the server.
0
 
LVL 50

Expert Comment

by:Vitor Montalvão
ID: 40332850
Not to the server. Users needs only to have permissions on application and database. There's no need to grant them access to any server. Always give the low permissions possible.
0
 

Author Comment

by:Millkind
ID: 40332868
Understood. However still means granting on average 50 people rights to the database at any one time.  Also with a turnover rate of 10 people every 6 months the over head. However that is the price for security.  I'm going to let this question open for a few more days in case something else comes up.
0
 

Author Comment

by:Millkind
ID: 40333116
It seems I could set up a service on the server and communicate to it from the application.  The communication would be encrypted. The service would do all the queries and just send responses based on the query run.  The service would communicate from the server to the server so should be pretty secure.
0
 
LVL 50

Expert Comment

by:Vitor Montalvão
ID: 40336022
If they are all AD users, then the easy way is to create a group in AD where those users will be added into. Then you'll only need to give permissions to that group in SQL Server so you won't need to add or remove more users in the future.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Parsing a CSV file is a task that we are confronted with regularly, and although there are a vast number of means to do this, as a newbie, the field can be confusing and the tools can seem complex. A simple solution to parsing a customized CSV fi…
This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question