ADO.NET and Stored Procedures

Download Report

Transcript ADO.NET and Stored Procedures

ADO.NET AND STORED
PROCEDURES
- Swetha Kulkarni
RDBMS
ADO.NET Provider





SqlClient
OracleClient
OleDb
ODBC
SqlServerCE
Application
Dataset
•
•
•
•
•
System.Data.SqlClient
System.Data.OracleClient
System.Data.OleDb
System.Data.Odbc
System.Data.SqlServerCe
RDBMS
ADO.NET Provider
Connection
Application
Dataset
RDBMS
ADO.NET Provider
Connection
Dataadapter
Dataadapter
Application
Dataset
Datatable
Datatable
ADO.NET Objects
System.Data
DataSet
DataTable



In-memory cache of a database table
Used to manipulate a row in a DataTable

Used to define the columns in a DataTable

Used to relate 2 DataTables to each other

DataRow
DataColumn
DataRelation
Contains the “main” classes of ADO.NET
In-memory cache of data
Benefits of Stored Procedures




Stored procedures pass less information over the
network on the initial request. Hence faster
Parameterized stored procedures that validate all user
input can be used to thwart SQL injection attacks
Errors can be handled in procedure code without being
passed directly to client applications
Stored procedures can be written once, and accessed by
many applications
Security Overview – ADO.NET

Design for Security
-

Threat Modeling
The Principle of Least Privilege
Authentication

If possible, use Windows authentication
 SqlConnection
pubsConn = new SqlConnection(
"server=dbserver; database=pubs; Integrated
Security=SSPI;");

If you use SQL authentication, use strong passwords
 SqlConnectionString
= "Server=YourServer\Instance;
Database=YourDatabase; uid=sa; pwd=;"

Consider Which Identity to Use to Connect to the
Database
Ownership chain
Authorization

Restrict Unauthorized Code

Restrict Application Access to the Database
Configuration and Connection Strings


Avoid Credentials in Connection Strings
Store Encrypted Connection Strings in Configuration
Files
<connectionStrings>
<add name="MyDatabaseConnection" connectionString="Persist Security
Info=False;Integrated Security=SSPI;database=Northwind;server=(local);"
providerName="System.Data.SqlClient" />
</connectionStrings>


Do Not Use Persist Security Info="true" or "yes"
Avoid Connection Strings Constructed With User
Input
Exception Management




Use Finally Blocks to Make Sure that Database
Connections Are Closed
Consider Employing the Using Statement to Make Sure
that Database Connections Are Closed
Avoid Propagating ADO.NET Exceptions to Users
In ASP.NET, Use a Generic Error Page , Log exceptions
on the server
Secure Data Access




Authentication, Authorization and Permissions
Parameterized Commands and SQL Injection
Script Exploits
Probing Attacks
Privacy and Data Security

Cryptography and Hash Codes

Encrypting Configuration Files

Securing String Values in Memory
Best Practices – Stored Procedures




Grant EXECUTE permissions for database roles
Revoke or deny all permissions to the underlying
tables for all roles and users in the database
Do not add users or roles to the sysadmin or
db_owner roles
Disable the guest account. This will prevent
anonymous users from connecting to the database
References



http://www.guidanceshare.com/wiki/ADO.NET_2.0
_Security_Guidelines
http://msdn.microsoft.com/enus/library/ms971481.aspx
http://msdn.microsoft.com/enus/library/bb669058.aspx
Thank You