Hey,

There is nothing to stop him doing that, it all comes down to a question of architecture. If you are exposing a shared database openly to everyone, then you run the risk of something happening that you are not expecting, some deleting something, changing something they shouldn't etc. Granted, you can restrict the permissions on the database to prevent this from happening, but at the end of the day, your full database is open.

Putting a webservice between your application (both web and windows) means that you reduce the potential surface area for attack, only exposing the methods that you want/need to.

This approach also has the added benefit of having the same code for accessing the database in both applications, it is all done through the web service.

Gary