dcsimg
Results 1 to 6 of 6

Thread: Webservice and database security

  1. #1

    Thread Starter
    Junior Member
    Join Date
    Oct 2018
    Posts
    21

    Question Webservice and database security

    hello

    Is necessary to use from webservice for security of DB?
    I put my connection string (which has username and password of db) in web.config.
    Is it Security weakness?
    Must I put connection string in Webservice?
    If I put my connection string to webservice, the database security is be provided?

    Thanks very much

  2. #2
    Super Moderator FunkyDexter's Avatar
    Join Date
    Apr 2005
    Location
    An obscure body in the SK system. The inhabitants call it Earth
    Posts
    7,031

    Re: Webservice and database security

    I've moved your thread into the General Development forum. I don't think we have a perfect fit for this particular question but this seemed about the best.

    As for whether you need a web service, strictly speaking you don't but it's probably a good idea if your database contains sensitive data or is likely to attract hackers for some reason or is something you couldn't recover from if you were hacked. Basically, all security is about layers. The more layers the better but each layer costs time, effort and/or money.

    Having your username and password in the config file means they shouldn't
    normally get served up to a user's browser. But a determined hacker might find their way into the web server and find a way of accessing the config file to get the connection data. If you were using a web service then a hacker would have to break into the web server to get the details of the web service and then break into that to get the connection details of the DB - it's an extra wall for them to climb over.

    Nothing you do will ever make your database "safe", you can just make it "safer".
    You can depend upon the Americans to do the right thing. But only after they have exhausted every other possibility - Winston Churchill

    Hadoop actually sounds more like the way they greet each other in Yorkshire - Inferrd

  3. #3
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    17,787

    Re: Webservice and database security

    I always felt that if they could get to the WEB.CONFIG file they have already breached the physical server and you basically lost that battle already. That means they can looks for passwords in CONFIG files or try to exploit other credentials to get to the DB.

    When my users login initially I pass them a GUID that the server created. Each AJAX POST to a web service from that point forward passes along that GUID for identification. If the server cannot find that GUID in the allowed list of users - they are denied. I can use this to time-out users after a certain time of inactivity. I also register "alerts" based on these GUID's so that data being displayed on other users web pages can be refreshed based on updates by other users...

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  4. #4
    Junior Member
    Join Date
    Nov 2018
    Posts
    20

    Re: Webservice and database security

    Azure Key Has something called User Secrets. I don't know if this pertains to you but you essentially create a hidden web info config file within your local machine that has your database and user password stored.
    In your actual application tell the location of the web config to look for it.




    https://docs.microsoft.com/en-us/asp...1&tabs=windows

  5. #5
    Superbly Moderated NeedSomeAnswers's Avatar
    Join Date
    Jun 2002
    Location
    Manchester uk
    Posts
    2,479

    Re: Webservice and database security

    As for whether you need a web service, strictly speaking you don't but it's probably a good idea if your database contains sensitive data or is likely to attract hackers for some reason or is something you couldn't recover from if you were hacked. Basically, all security is about layers. The more layers the better but each layer costs time, effort and/or money.
    While its true you dont need to have it, i would strongly advise it.

    If you dont have a web service between your web application and your database then firstly you have to open ports for traffic directly to your database through your firewall (assuming you have a DMZ and if you dont then that a whole other security risk you have), and secondly you have to send SQL Statements directly from you web pages which mean they are a target for SQL Injection attacks.

    Neither of things are advisable !!!
    Please Mark your Thread "Resolved", if the query is solved & Rate those who have helped you



  6. #6
    King of sapila
    Join Date
    Oct 2006
    Location
    Greece
    Posts
    5,406

    Re: Webservice and database security

    You can of course encrypt your web.config file contents so even if they locate the file they can't read the passwords.
    Of course if they can get full access to your server then they can decrypt but if that happens then there is no point talking about web services and such as your primary concern would be to secure the server - servers.
    Slow as hell.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Featured


Click Here to Expand Forum to Full Width