Some Tips and Hints for Data Sources
Some things to consider when using SQL Server, or any other data sources, are:
-
Protect the system administrator account with a strong password, just as you would the administrator account in Windows NT. SQL Server allows users to connect to it over the network (including the Internet) using the client-side tools supplied with it. If they crack your administrator account they can do almost anything you can with the database contents.
-
Create Views, Queries, or Stored Procedures that contain only the information you wish to make available to a particular account group. For example, if an ASP page only needs to access a couple of fields in a large table you should consider creating a view that contains only those fields, or a query or stored procedure that returns a recordset containing only those fields. In general, except for the simplest of tables, you should avoid accessing the table directly.
-
Assign appropriate permissions to every object in the database. Even if some tables are not accessed by Web users, set up strong passwords on them. Use the ability of the database's own security system to allocate permissions on an object-by-object basis (even down to field level), including views, queries and stored procedures.
-
Create a custom data access component rather than using ASP code if you need to collect information from several places and work with it before returning it to the caller (such as formatting values or summarizing the contents). A component can hide details of the origin of the data from intruders (i.e. the passwords, table names, System DSNs, connection strings, etc.) much better than an ASP script, and will generally be faster.
-
Avoid providing users with File DSNs on their own machines wherever possible. These contain information about the source of the data, and may tempt them to experiment with trying to obtain access to sensitive information.
© 1998 by Wrox Press. All rights reserved.