Re: SQL beginner help
- From: "Jon Slaughter" <Jon_Slaughter@xxxxxxxxxxx>
- Date: Mon, 12 Feb 2007 17:31:09 GMT
"justin" <justin.creasy@xxxxxxxxx> wrote in message
news:1171298259.615820.10320@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Feb 12, 10:34 am, "Jon Slaughter" <Jon_Slaugh...@xxxxxxxxxxx>
wrote:
"justin" <justin.cre...@xxxxxxxxx> wrote in message
news:1171286737.478866.166530@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Feb 9, 4:10 pm, "Jon Slaughter" <Jon_Slaugh...@xxxxxxxxxxx> wrote:
"Ed Murphy" <emurph...@xxxxxxxxxxxx> wrote in message
news:45ccdb5f$0$24503$4c368faf@xxxxxxxxxxxxxxxxx
Jon Slaughter wrote:
In SQL Server you have security "groups" and users can join one or
more groups. So a certain group may have read + write access over
one
table while another group only has read access. I do not know if
this
is how it works in MySQL or not. To accomplish your goal of users
having access to only certain rows in a table is going to require
some
server-side code outside of the group security to determine if the
user should be able to access a certain row.
Ok, but what is this code? Is it html, javascript, or what? is it
SQL
statements that are embedded in the code(Sorta like how I can use
SQL
in
C# but its just more like a simple wrapper that forwards the SQL
statements to the server)?
ASP, in your case. This may be as simple as including UserID as a
column in the table, then forwarding SQL statements like:
select (list of fields)
from the_table
where UserID = 'jblow123' (and possibly other conditions)
The overall architecture looks like this:
SQL <-------------------- ASP <-------------------- end user
logged into SQL logged into web site
as "website" as "jblow123"
The "website" SQL login can read/write any row in the table. The
ASP code chooses to read/write only certain rows in response to a
request from the "jblow123" web site login.
Ok, so its up to the asp front end to manage security(I guess its
better
to
say permission) rights? When the user logs onto the web site and
interfaces
with the Asp code it will decide what how to handle what the user is
able
to
do?
So ASP has its own log in onto the SQL Database(its own pipe so to
speak)
but ASP will deal with restricting the users access? So maybe jblow123
can
change his own information but cannot change others because the ASP
front
end is designed to only bring up his own information.
e.g., I'm thinking of an example where jblow wants to view his own
account
information. You design some ASP code that will bring up only jblow's
information when he requests it(he can't request others information(or
atleast private information) so only way he could mess with others
stuff
is
if the ASP code was buggy/insecure?
Basically your telling me that jblow doesn't access the SQL
server/database
directly like I can when I go write an SQL statement and run it in
visual
studio? So I get to choose what he can do and what he can't? Since
he
cannot really get at the ASP code(?) he can't change things and force
it
to
see something he's not suppose to? (like trick ASP into thinking he's
jane431 to get here private info?)
If this is the case then I suppose its not that difficult. I just have
to
learn ASP and SQL now ;) Basically the information and the security
are
handled seperately. I think maybe I now have a mental map of what is
going
on. Its still kinda fuzzy but after I start working with asp a little
in
Web
Developer I'll probably get a better feel. I really just have no clue
what
asp is and how it works yet and thats probably why I don't understand
how
it
works to well. If what I'm thinking is true though then I do have a
much
clearer picture on how it fits together.
So is asp the way to go with this or should I learn
php/python/perl/etc...
(all that other crap that I don't know that is big with web
development.)
I
see a lot of sites that use php so I'm a little confused on what to
do.
(ofcourse this should be independent of the database itself? I could
design
the "front end" in asp and later in php and it should still work the
same(excluding the differences due to asp and php)?
Thanks,
Jon
Whether to use ASP or PHP/Perl is a completely different argument with
large crowds on both sides. Personally I would say that if you know C#
and you are familiar with .NET, stick with ASP. It is different, but
that's because it's a scripting language. You almost have to put your
mind in a different state for it.
The problem I'm having is that to use ASP I have to use a server that
handles ASP. Right now my web host doesn't allow it except if I pay twice
as
much. What I'm worried about is that if I learn it I might not actually
be
able to use it much. I'm also worried that it would be better to just
ajax
and jsp or something like that since maybe it is better supported? I
really
think I would like asp(because I like C# and .NET) but it seems to be
expensive and limiting.
The direction you are going with the web front end controlling what
users can do is what I was thinking. I don't know if it's what a
database expert would recommend, but anytime I've needed functionality
similar to what you described I found I can code a middle-tier to the
system easier than anything else.
But I still need some client side execution ;/ I think I got a good
picture
now what to do on the server side but I don't know how to actually fuse
the
two together to get what I want in a "secure" way. It seems that I might
have to use java to do the client side which will somehow interface with
the
server side front end(not directly with the database).
If you think security will be a concern I would listen to what Ed
mentioned. SQL injection attacks can be nasty. The biggest design
choice you should pay attention to is constrict every field you can to
not accept nulls unless they are really needed. I know there are many
many webinars on MSDN discussing various security concerns in SQL
Server. You're just gonna have to balance how much you need with how
much time you have to take care of it all.
I am going to try and avoid the client having any direct contact with the
SQL server so I shouldn't have to worry about this? He won't see any SQL
code in the page sources or anything like that so he won't know where the
SQL server is or be able to modify any SQL code in the page source?
Good luck. Hope I didn't make your problem any more confusing.
No, It helped. I have a much clearer idea about whats going on but I
still
having those issues above. I'm not sure what to do but I guess I'm just
going to have to dive into it to get started. The basic web front end
should be quite easy as its just a database gui like thing(essentially
wrapping an sql database to provide certain functionality and security)
and
the hashing program is easy(just get which files to hash, compute hash,
return the hash to the web server). The problem is I don't understand how
to
combine the two. I'm not so worried about my client code being hacked
but I
just don't want it to make it easy. Its more important that I actually do
the web site than quit because of the client side insecurity issue.
Thanks for the help,
Jon
PHP servers are most definitely cheaper than .NET servers. I know very
little about PHP and only a moderate amount about JAVA/AJAX. There are
probably much better forums than this one to find tutorials and such
regarding those languages and database access.
As for the client-side, you can code it two ways. You can create an
application, in which case you have a standard client-side and server-
side application, with only the server-side accessing the database and
returning the data to the client-side either as DataSets (.NET only)
or just parsing the data in some known fashion, this depends heavily
on the type of data you're working with. The other way again is to do
a web front-end. In this case there is no client app, just a client
accessing your webpage. For this you would have an ASP login interface
(or PHP login interface) to access the page, then use another level of
code to control what the user can do.
Again, I highly recommend visiting some other forums where people with
more robust knowledge than I can provide can give you some direction.
Then you should be able to determine if it's better to learn PHP/Perl/
etc or if it's better to learn ASP and pay a few more dollars a month
for hosting.
Ok, I appreciate it. I'm not sure what I'll do. I think I'll try to learn a
little of all of them so I'll have a better idea.
One thing I'm unclear on, and maybe you can clear this up for me, is how to
I send information transparently from the client to the web site? Suppose I
write a java applet and the java applet computes the hashes. How do I sent
them to the web page that contains the applet in a way that it is
transparent to the user? Is there a feature in java that does this or what?
Basically I need to populate some data structure on the web site that is
hidden to the user but that the java client can see. I'm not sure how easy
this is to do. I suppose I can transfer the data using http? What I'm
worried about is if this will work on the same session or not?
I'm probably not to clear as I have not really ever messed with this stuff
but think this is the last major hurdle I have. What I'm thinking at the
moment is to go ahead and create a simple login web site and then an applet
that will transfer information from the client to the web site. (So the
applet might send "Hello" to the web site and the website will then display
that. But it will need to be session dependent so it makes sense).
Hopefully I'm making sense ;)
Thanks,
Jon
.
- References:
- SQL beginner help
- From: Jon Slaughter
- Re: SQL beginner help
- From: justin
- Re: SQL beginner help
- From: Jon Slaughter
- Re: SQL beginner help
- From: Ed Murphy
- Re: SQL beginner help
- From: Jon Slaughter
- Re: SQL beginner help
- From: justin
- Re: SQL beginner help
- From: Jon Slaughter
- Re: SQL beginner help
- From: justin
- SQL beginner help
- Prev by Date: REbuilding master database using command prompt
- Next by Date: Re: SQL beginner help
- Previous by thread: Re: SQL beginner help
- Next by thread: Re: SQL beginner help
- Index(es):
Relevant Pages
|
|
