Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

website asp db design

1 view
Skip to first unread message

inungh

unread,
Dec 26, 2009, 6:11:28 PM12/26/09
to
I would like to use SQL server as my asp website database.

I would like to know that is it a good idea to create 2 databases one
for all the link and the other one fo real database for security
reason.


Since the dynamic website must let user login when user hit the home
page to get url link information, it can avoid security issue if user
does not have rights to access our backend database.

If I only have one database then once user hit the home page that user
already to login to SQL server can do retrieve data from the backend
databases.


Your information is great appreciated,

Bob Barrows

unread,
Dec 27, 2009, 12:19:22 PM12/27/09
to
It's good that you're starting off thinking about security, but there's no
point to having a second database that I can see, at least, not for the
reason you are proposing. The user is not (or should not be) directly
logging into the database. It is your server-side code that should be the
only link between the user and the database, thus giving you complete
control over what the user can retrieve or insert into the database.

You control what the user retrieves from the database by:
1. Using a login that has limited rights in the database to which the asp
process is connecting, i.e., grant it only the rights it needs to perform
the functions required by the application
2. Never allow the user to write their own queries - allow them to select or
enter criteria values to retrieve data from, or fill in forms to update data
in, the database ... but use server-side code to perform the actual
retrievals and updates.
2. Avoiding dynamic sql so as to eliminate the risk of sql injection
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

Using parameters to avoid sql injection:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&selm=ukS%246S%247CHA.2464%40TK2MSFTNGP11.phx.gbl
http://www.google.com/groups?selm=eETTdnvFDHA.1660%40TK2MSFTNGP10.phx.gbl&oe=UTF-8 -
http://groups.google.com/group/microsoft.public.inetserver.asp.general/msg/5d3c9d4409dc1701?hl=en

--
Microsoft MVP - ASP/ASP.NET - 2004-2007
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


inungh

unread,
Dec 30, 2009, 2:48:38 PM12/30/09
to
> 2. Avoiding dynamic sql so as to eliminate the risk of sql injectionhttp://mvp.unixwiz.net/techtips/sql-injection.htmlhttp://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23http://www.nextgenss.com/papers/advanced_sql_injection.pdfhttp://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
>
> Using parameters to avoid sql injection:http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&selm=ukS%...http://www.google.com/groups?selm=eETTdnvFDHA.1660%40TK2MSFTNGP10.phx...-http://groups.google.com/group/microsoft.public.inetserver.asp.genera...

>
> --
> Microsoft MVP - ASP/ASP.NET - 2004-2007
> Please reply to the newsgroup. This email account is my spam trap so I
> don't check it very often. If you must reply off-line, then remove the
> "NO SPAM"- Hide quoted text -
>
> - Show quoted text -

Thanks millions for helping and information,

0 new messages