0

I have created an SQL Server and a Client (c#) that directly queries the server. The problem is that I feel this is not secure, because every client (say 5 different clients in total) now has the connection string and i believe this is a crucial vulnerability.

What is the best way to create a back-end for an SQL Server running on my machine. This SQL Server will have to be accessible over the internet from various clients. Is the best option some C# application running with some library to interpret calls from the client?

Improve this question
0

2 Answers 2

Reset to default
2

It will be never secure if you allow your clients to CRUD without login, it is also unsecure if you pass your connection string to your client, if it is not necessary.

The better practice to implement a more secure backend application is you wrap actions into API (let's say UpdateClientInfo()), all database accesses go into the APIs and only allow your client to make use of the API. In this case your connection string will not be transferred via internet.

When the existing APIs are not suitable for your clients, kindly ask them to pull a request and implement the request, instead of providing the connection string to them.

It is also necessary to require the clients to provide user + password when they would like to access to your service.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Please also take a look at other REST APIs to learn how others group their resources. This will help you design an API that's not too coarse and not too detailed.
Microsoft Web Service tutorial msdn.microsoft.com/en-us/library/t745kdsh(v=vs.90).aspx
1

There are many possible solutions. Exposing the database server is always a security risk. As you're obviously running on a Windows server I'd use a WCF service to handle the communication between the clients and the database.

It is also be possible to implement REST services in C#, which allows you to communication via ports 80 or (preferably) 443. That, depending on the firewall configuration, may be a good idea anyway, as it is a standard port which in most cases will be open for outgoing communication from the client side and can be enabled on the server side.

Look at existing APIs (for example for online shops, etc) to see how they group resources. This will help you design better APIs yourself.

Improve this answer

5 Comments

Since I have a small amount of users (~5), why is it a bad idea to append their username/password to the connection string and handle log ins like this? Then it doesn't matter if there is no back end and the queries are fired directly from the client?
The users you know won't be the only ones trying to access the server. You will be amazed to see how many hacking attempts there'll be. Also, you can not change the implementation easily. A REST API service would allow the client to access data through a given interface, but the real logic would be in one service instance. Changing the logic in your case would require an update for all clients. When you use a service, there's only a single point of failure.
I'm not saying you can't do it your way - I'm just saying that I wouldn't :-) Also: How do you secure communication? You need to make sure that no man-in-the-middle can access the connection data. Then you need to make sure communication is encrypted, etc. You get all this for free if you create a REST service via HTTPS.
Ok I understand. So the question boils down to ASP vs WCF?
This could help: codeproject.com/Articles/139787/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.