Re: SQL beginner help
- From: "Jon Slaughter" <Jon_Slaughter@xxxxxxxxxxx>
- Date: Mon, 12 Feb 2007 15:34:00 GMT
"justin" <justin.creasy@xxxxxxxxx> wrote in message
news:1171286737.478866.166530@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Feb 9, 4:10 pm, "Jon Slaughter" <Jon_Slaugh...@xxxxxxxxxxx> wrote:
"Ed Murphy" <emurph...@xxxxxxxxxxxx> wrote in message
news:45ccdb5f$0$24503$4c368faf@xxxxxxxxxxxxxxxxx
Jon Slaughter wrote:
In SQL Server you have security "groups" and users can join one or
more groups. So a certain group may have read + write access over one
table while another group only has read access. I do not know if this
is how it works in MySQL or not. To accomplish your goal of users
having access to only certain rows in a table is going to require
some
server-side code outside of the group security to determine if the
user should be able to access a certain row.
Ok, but what is this code? Is it html, javascript, or what? is it SQL
statements that are embedded in the code(Sorta like how I can use SQL
in
C# but its just more like a simple wrapper that forwards the SQL
statements to the server)?
ASP, in your case. This may be as simple as including UserID as a
column in the table, then forwarding SQL statements like:
select (list of fields)
from the_table
where UserID = 'jblow123' (and possibly other conditions)
The overall architecture looks like this:
SQL <-------------------- ASP <-------------------- end user
logged into SQL logged into web site
as "website" as "jblow123"
The "website" SQL login can read/write any row in the table. The
ASP code chooses to read/write only certain rows in response to a
request from the "jblow123" web site login.
Ok, so its up to the asp front end to manage security(I guess its better
to
say permission) rights? When the user logs onto the web site and
interfaces
with the Asp code it will decide what how to handle what the user is able
to
do?
So ASP has its own log in onto the SQL Database(its own pipe so to speak)
but ASP will deal with restricting the users access? So maybe jblow123
can
change his own information but cannot change others because the ASP front
end is designed to only bring up his own information.
e.g., I'm thinking of an example where jblow wants to view his own
account
information. You design some ASP code that will bring up only jblow's
information when he requests it(he can't request others information(or
atleast private information) so only way he could mess with others stuff
is
if the ASP code was buggy/insecure?
Basically your telling me that jblow doesn't access the SQL
server/database
directly like I can when I go write an SQL statement and run it in visual
studio? So I get to choose what he can do and what he can't? Since he
cannot really get at the ASP code(?) he can't change things and force it
to
see something he's not suppose to? (like trick ASP into thinking he's
jane431 to get here private info?)
If this is the case then I suppose its not that difficult. I just have to
learn ASP and SQL now ;) Basically the information and the security are
handled seperately. I think maybe I now have a mental map of what is
going
on. Its still kinda fuzzy but after I start working with asp a little in
Web
Developer I'll probably get a better feel. I really just have no clue
what
asp is and how it works yet and thats probably why I don't understand how
it
works to well. If what I'm thinking is true though then I do have a much
clearer picture on how it fits together.
So is asp the way to go with this or should I learn
php/python/perl/etc...
(all that other crap that I don't know that is big with web development.)
I
see a lot of sites that use php so I'm a little confused on what to do.
(ofcourse this should be independent of the database itself? I could
design
the "front end" in asp and later in php and it should still work the
same(excluding the differences due to asp and php)?
Thanks,
Jon
Whether to use ASP or PHP/Perl is a completely different argument with
large crowds on both sides. Personally I would say that if you know C#
and you are familiar with .NET, stick with ASP. It is different, but
that's because it's a scripting language. You almost have to put your
mind in a different state for it.
The problem I'm having is that to use ASP I have to use a server that
handles ASP. Right now my web host doesn't allow it except if I pay twice as
much. What I'm worried about is that if I learn it I might not actually be
able to use it much. I'm also worried that it would be better to just ajax
and jsp or something like that since maybe it is better supported? I really
think I would like asp(because I like C# and .NET) but it seems to be
expensive and limiting.
The direction you are going with the web front end controlling what
users can do is what I was thinking. I don't know if it's what a
database expert would recommend, but anytime I've needed functionality
similar to what you described I found I can code a middle-tier to the
system easier than anything else.
But I still need some client side execution ;/ I think I got a good picture
now what to do on the server side but I don't know how to actually fuse the
two together to get what I want in a "secure" way. It seems that I might
have to use java to do the client side which will somehow interface with the
server side front end(not directly with the database).
If you think security will be a concern I would listen to what Ed
mentioned. SQL injection attacks can be nasty. The biggest design
choice you should pay attention to is constrict every field you can to
not accept nulls unless they are really needed. I know there are many
many webinars on MSDN discussing various security concerns in SQL
Server. You're just gonna have to balance how much you need with how
much time you have to take care of it all.
I am going to try and avoid the client having any direct contact with the
SQL server so I shouldn't have to worry about this? He won't see any SQL
code in the page sources or anything like that so he won't know where the
SQL server is or be able to modify any SQL code in the page source?
Good luck. Hope I didn't make your problem any more confusing.
No, It helped. I have a much clearer idea about whats going on but I still
having those issues above. I'm not sure what to do but I guess I'm just
going to have to dive into it to get started. The basic web front end
should be quite easy as its just a database gui like thing(essentially
wrapping an sql database to provide certain functionality and security) and
the hashing program is easy(just get which files to hash, compute hash,
return the hash to the web server). The problem is I don't understand how to
combine the two. I'm not so worried about my client code being hacked but I
just don't want it to make it easy. Its more important that I actually do
the web site than quit because of the client side insecurity issue.
Thanks for the help,
Jon
.
- Follow-Ups:
- Re: SQL beginner help
- From: Ed Murphy
- Re: SQL beginner help
- From: justin
- Re: SQL beginner help
- References:
- SQL beginner help
- From: Jon Slaughter
- Re: SQL beginner help
- From: justin
- Re: SQL beginner help
- From: Jon Slaughter
- Re: SQL beginner help
- From: Ed Murphy
- Re: SQL beginner help
- From: Jon Slaughter
- Re: SQL beginner help
- From: justin
- SQL beginner help
- Prev by Date: Re: SQL beginner help
- Next by Date: Re: SQL beginner help
- Previous by thread: Re: SQL beginner help
- Next by thread: Re: SQL beginner help
- Index(es):
Relevant Pages
|
|
