Finaly获得了SQL远程访问权 [英] Finaly got SQL remote access to work
问题描述
最后,此代码可在我的本地Windows窗体应用程序中使用.
Finally got this code to work inside my local windows form application.
Dim SQLConnection1 As New SqlConnection("Data Source=msdb3.surftown.dk;Initial Catalog=userdata;Persist Security Info=True;User ID=default;Password=secret123")
Dim sqlCommand1 As New SqlCommand("SELECT Password FROM [AllUserData] WHERE UserName=''" & textbox1.text & "'';", SQLConnection1)
SQLConnection1.Open()
MsgBox("user password=" & sqlCommand1.ExecuteScalar())
SQLConnection1.Close()
正如您可能已经猜到的,此代码使用诸如Textbox1.text之类的用户名检索用户的密码.很好,要完成此工作,我必须进入我的网络主机并设置"add extern db-access"并添加我自己的IP地址.
因此,这是一个双重问题.
首先,如果我将其作为免费应用程序发布给所有人使用,这是否不安全?我的意思是,人们/黑客无法看到ConnectionString并自己访问我的数据库吗?
其次,是否可以使远程访问不绑定到特定的IP地址?现在,只有我的本地IP地址可以正常工作..
谢谢
另外,如果这是完全错误的方法(对于每个人都应该可以下载的应用程序),那么正确的方法是什么?通过asp.net页面?
as you might have guessed, this code retrieves the password of the user with username like Textbox1.text. Good, to make this work I had to go to my webhost and set "add extern db-access" and add my own IP address.
So this is a kind of double question.
First of, if I release this as a free application for everyone to use, is this to unsafe? I mean, can''t people/hackers see the ConnectionString and access my database by themselves?
Secondly, is it posible to make remote access not bound to specific IP addresses? Right now it''s only my local IP address which will work I guess ..
Thank you
Also, if this is the complete wrong way to do it(for a application everyone should be able to download) then what is the right way? Through an asp.net page?
推荐答案
首先,如果我将其作为免费应用程序发布,供所有人使用,这样做不安全吗?
First of, if I release this as a free application for everyone to use, is this to unsafe?
是的,这非常不安全.您正在从登录表单中的文本框构建SQL.然后,您在消息框中显示它,以便我可以找到任何人的密码.但是,这并不是最坏的情况.我可以将自己的用户名和密码插入您的数据库,或者只是删除整个数据库,因为您无济于事,无法保护自己免受SQL注入的侵害.
Yes, it''s very unsafe. You''re building SQL from a textbox in your login form. You then show it in a message box, so I can find anyone''s password. But, that''s not the worst of it. I can insert my own username and password into your database, or just erase your whole database, because you do nothing to protect yourself from SQL Injection.
我的意思是,人们/黑客无法看到ConnectionString并自己访问我的数据库吗?
I mean, can''t people/hackers see the ConnectionString and access my database by themselves?
由于您无法保护自己免受SQL注入的侵扰,因此人们可以在不看到连接字符串的情况下访问您的数据库.但是,是的,他们还可以使用反射来查找连接字符串,除了首先建立安全的数据库外,没有真正的解决方法.该程序提供的登录名不应具有执行您不希望该程序的用户执行的任何操作的权限.
Because you don''t protect yourself from SQL Injection, people can access your database without seeing the connection string. But yes, they could also use reflection to find the connection string, there''s no real way around this, except building a secure database in the first place. Your login as provided by the program should not have permission to do anything you don''t want a user of your program to do.
第二,是否可以使远程访问不绑定到特定的IP地址?
Secondly, is it posible to make remote access not bound to specific IP addresses?
并不真地.您需要一个IP地址来特定数据库,该URL或一个URL.如果为在线数据库服务器注册URL,则可以更改承载该URL的服务器.做到这一点的另一种方法是拥有一个提供数据库URL的Web服务,因此您可以通过更新Web服务为所有用户更改它.通常,Web服务还是一种更好的方式,以可控的分层方式提供数据库访问,对不起,我上次问过我应该想到htat.
Not really. You need an IP address to specific a database, that or a URL. If you register a URL for your online database server, then you could change the server that hosts that URL. Another way to do it, is to have a webservice that provides the URL to the database, so you can change it for all your users by updating the webservice. A webservice is also a better way in general to provide database access in a controlled and layered manner, I''m sorry, I should have thought of htat last time you asked.
代码例如,我对Windows窗体的安全性不甚了解,所以我的第一个问题是,在应用程序的代码中存储密码和其他内容(如连接字符串)是否安全? .我猜代码很容易找回/破解"
谢谢您对WebService控件的提示,我将对其进行研究,这听起来确实是最好的方法:)
The code was pretty much for an example, I don''t know very much about how safe windows forms are, so my first question was pretty much, "is it safe to store passwords and other stuff like a connection string in the code of an application. I guess the code is easy to retrieve/hack"
Thank you for the hint with the WebService control, I will look into it, it sounds like the best way to do it indeed :)
这篇关于Finaly获得了SQL远程访问权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
