ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider SqlClient OracleClient ...

Preview:

Citation preview

ADO.NET AND STORED PROCEDURES

- Swetha Kulkarni

RDBMS

ADO.NET Provider SqlClient OracleClient OleDb ODBC SqlServerCE

• System.Data.SqlClient• System.Data.OracleClie

nt• System.Data.OleDb• System.Data.Odbc• System.Data.SqlServer

Ce

Application Dataset

RDBMS

ADO.NET Provider

Application Dataset

Connection

RDBMS

ADO.NET Provider

Application Dataset

Dataadapter

Dataadapter

Connection

Datatable

Datatable

ADO.NET Objects

Contains the “main” classes of ADO.NET

In-memory cache of data

In-memory cache of a database table

Used to manipulate a row in a DataTable

Used to define the columns in a DataTable

Used to relate 2 DataTables to each other

System.Data

DataTable

DataRow

DataRelation

DataColumn

DataSet

Benefits of Stored Procedures Stored procedures pass less information over the

network on the initial request. Hence faster

Parameterized stored procedures that validate all user input can be used to thwart SQL injection attacks

Errors can be handled in procedure code without being passed directly to client applications

Stored procedures can be written once, and accessed by many applications

Security Overview – ADO.NET

Design for Security - Threat Modeling

The Principle of Least Privilege

Authentication

If possible, use Windows authentication SqlConnection pubsConn = new

SqlConnection( "server=dbserver; database=pubs; Integrated Security=SSPI;");

If you use SQL authentication, use strong passwords SqlConnectionString = "Server=YourServer\

Instance; Database=YourDatabase; uid=sa; pwd=;"

Consider Which Identity to Use to Connect to the Database

Ownership chain

Authorization

Restrict Unauthorized Code

Restrict Application Access to the Database

Configuration and Connection Strings

Avoid Credentials in Connection Strings Store Encrypted Connection Strings in

Configuration Files <connectionStrings>

<add name="MyDatabaseConnection" connectionString="Persist Security Info=False;Integrated Security=SSPI;database=Northwind;server=(local);" providerName="System.Data.SqlClient" />

</connectionStrings>

Do Not Use Persist Security Info="true" or "yes" Avoid Connection Strings Constructed With User

Input

Exception Management

Use Finally Blocks to Make Sure that Database Connections Are Closed

Consider Employing the Using Statement to Make Sure that Database Connections Are Closed

Avoid Propagating ADO.NET Exceptions to Users

In ASP.NET, Use a Generic Error Page , Log exceptions on the server

Secure Data Access

Authentication, Authorization and Permissions

Parameterized Commands and SQL Injection

Script Exploits Probing Attacks

Privacy and Data Security

Cryptography and Hash Codes

Encrypting Configuration Files

Securing String Values in Memory

Best Practices – Stored Procedures Grant EXECUTE permissions for database

roles Revoke or deny all permissions to the

underlying tables for all roles and users in the database

Do not add users or roles to the sysadmin or db_owner roles

Disable the guest account. This will prevent anonymous users from connecting to the database

References

http://www.guidanceshare.com/wiki/ADO.NET_2.0_Security_Guidelines

http://msdn.microsoft.com/en-us/library/ms971481.aspx

http://msdn.microsoft.com/en-us/library/bb669058.aspx

Thank You

Recommended