Re: SQL beginner help
- From: "justin" <justin.creasy@xxxxxxxxx>
- Date: 12 Feb 2007 08:37:39 -0800
On Feb 12, 10:34 am, "Jon Slaughter" <Jon_Slaugh...@xxxxxxxxxxx>
"justin" <justin.cre...@xxxxxxxxx> wrote in message
On Feb 9, 4:10 pm, "Jon Slaughter" <Jon_Slaugh...@xxxxxxxxxxx> wrote:
"Ed Murphy" <emurph...@xxxxxxxxxxxx> wrote in message
Jon Slaughter wrote:
In SQL Server you have security "groups" and users can join one or
more groups. So a certain group may have read + write access over one
table while another group only has read access. I do not know if this
is how it works in MySQL or not. To accomplish your goal of users
having access to only certain rows in a table is going to require
server-side code outside of the group security to determine if the
user should be able to access a certain row.
statements that are embedded in the code(Sorta like how I can use SQL
C# but its just more like a simple wrapper that forwards the SQL
statements to the server)?
ASP, in your case. This may be as simple as including UserID as a
column in the table, then forwarding SQL statements like:
select (list of fields)
where UserID = 'jblow123' (and possibly other conditions)
The overall architecture looks like this:
SQL <-------------------- ASP <-------------------- end user
logged into SQL logged into web site
as "website" as "jblow123"
The "website" SQL login can read/write any row in the table. The
ASP code chooses to read/write only certain rows in response to a
request from the "jblow123" web site login.
Ok, so its up to the asp front end to manage security(I guess its better
say permission) rights? When the user logs onto the web site and
with the Asp code it will decide what how to handle what the user is able
So ASP has its own log in onto the SQL Database(its own pipe so to speak)
but ASP will deal with restricting the users access? So maybe jblow123
change his own information but cannot change others because the ASP front
end is designed to only bring up his own information.
e.g., I'm thinking of an example where jblow wants to view his own
information. You design some ASP code that will bring up only jblow's
information when he requests it(he can't request others information(or
atleast private information) so only way he could mess with others stuff
if the ASP code was buggy/insecure?
Basically your telling me that jblow doesn't access the SQL
directly like I can when I go write an SQL statement and run it in visual
studio? So I get to choose what he can do and what he can't? Since he
cannot really get at the ASP code(?) he can't change things and force it
see something he's not suppose to? (like trick ASP into thinking he's
jane431 to get here private info?)
If this is the case then I suppose its not that difficult. I just have to
learn ASP and SQL now ;) Basically the information and the security are
handled seperately. I think maybe I now have a mental map of what is
on. Its still kinda fuzzy but after I start working with asp a little in
Developer I'll probably get a better feel. I really just have no clue
asp is and how it works yet and thats probably why I don't understand how
works to well. If what I'm thinking is true though then I do have a much
clearer picture on how it fits together.
So is asp the way to go with this or should I learn
(all that other crap that I don't know that is big with web development.)
see a lot of sites that use php so I'm a little confused on what to do.
(ofcourse this should be independent of the database itself? I could
the "front end" in asp and later in php and it should still work the
same(excluding the differences due to asp and php)?
Whether to use ASP or PHP/Perl is a completely different argument with
large crowds on both sides. Personally I would say that if you know C#
and you are familiar with .NET, stick with ASP. It is different, but
that's because it's a scripting language. You almost have to put your
mind in a different state for it.
The problem I'm having is that to use ASP I have to use a server that
handles ASP. Right now my web host doesn't allow it except if I pay twice as
much. What I'm worried about is that if I learn it I might not actually be
able to use it much. I'm also worried that it would be better to just ajax
and jsp or something like that since maybe it is better supported? I really
think I would like asp(because I like C# and .NET) but it seems to be
expensive and limiting.
The direction you are going with the web front end controlling what
users can do is what I was thinking. I don't know if it's what a
database expert would recommend, but anytime I've needed functionality
similar to what you described I found I can code a middle-tier to the
system easier than anything else.
But I still need some client side execution ;/ I think I got a good picture
now what to do on the server side but I don't know how to actually fuse the
two together to get what I want in a "secure" way. It seems that I might
have to use java to do the client side which will somehow interface with the
server side front end(not directly with the database).
If you think security will be a concern I would listen to what Ed
mentioned. SQL injection attacks can be nasty. The biggest design
choice you should pay attention to is constrict every field you can to
not accept nulls unless they are really needed. I know there are many
many webinars on MSDN discussing various security concerns in SQL
Server. You're just gonna have to balance how much you need with how
much time you have to take care of it all.
I am going to try and avoid the client having any direct contact with the
SQL server so I shouldn't have to worry about this? He won't see any SQL
code in the page sources or anything like that so he won't know where the
SQL server is or be able to modify any SQL code in the page source?
Good luck. Hope I didn't make your problem any more confusing.
No, It helped. I have a much clearer idea about whats going on but I still
having those issues above. I'm not sure what to do but I guess I'm just
going to have to dive into it to get started. The basic web front end
should be quite easy as its just a database gui like thing(essentially
wrapping an sql database to provide certain functionality and security) and
the hashing program is easy(just get which files to hash, compute hash,
return the hash to the web server). The problem is I don't understand how to
combine the two. I'm not so worried about my client code being hacked but I
just don't want it to make it easy. Its more important that I actually do
the web site than quit because of the client side insecurity issue.
Thanks for the help,
PHP servers are most definitely cheaper than .NET servers. I know very
little about PHP and only a moderate amount about JAVA/AJAX. There are
probably much better forums than this one to find tutorials and such
regarding those languages and database access.
As for the client-side, you can code it two ways. You can create an
application, in which case you have a standard client-side and server-
side application, with only the server-side accessing the database and
returning the data to the client-side either as DataSets (.NET only)
or just parsing the data in some known fashion, this depends heavily
on the type of data you're working with. The other way again is to do
a web front-end. In this case there is no client app, just a client
accessing your webpage. For this you would have an ASP login interface
(or PHP login interface) to access the page, then use another level of
code to control what the user can do.
Again, I highly recommend visiting some other forums where people with
more robust knowledge than I can provide can give you some direction.
Then you should be able to determine if it's better to learn PHP/Perl/
etc or if it's better to learn ASP and pay a few more dollars a month
- Re: SQL beginner help
- From: Jon Slaughter
- Re: SQL beginner help
- Prev by Date: Re: SQL beginner help
- Next by Date: REbuilding master database using command prompt
- Previous by thread: Re: SQL beginner help
- Next by thread: Re: SQL beginner help