ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.

Slides:

Advertisements

Similar presentations

Chapter 10 ADO. What is ADO? ADO is a Microsoft technology ADO stands for ActiveX Data Objects ADO is a programming interface to access data in a database.

Advertisements

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Database Security Managing Users and Security Models.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Overview of ADO.NET Whidbey  Wallace B. McClure  Scalable Development, Inc. Scalable Development, Inc. Building systems today that perform tomorrow.

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

ODBC, OLE DB, and ADO Introduction Dr. Ron Eaglin.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

ADO.NET A2 Teacher Up skilling LECTURE 3. What’s to come today? ADO.NET What is ADO.NET? ADO.NET Objects SqlConnection SqlCommand SqlDataReader DataSet.

Developing Web Applications Using Microsoft ® Visual Studio ® 2008.

A Simple Introduction. What is ADO.net? First the word ADO stands for ActiveX Data Objects And it is an integral part of.Net Framework of Microsoft hence.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

SEC835 Practical aspects of security implementation Part 1.

Databases and Data Access  Introduction to ADO.NET  ADO.NET objects  ADP.NET namespaces  Differences between ADO and ADO.NET.

.NET Data Access and Manipulation ADO.NET. Overview What is ADO.NET? Disconnected vs. connected data access models ADO.NET Architecture ADO.NET Core Objects.

1 Chapter Overview Configuring Account Policies Configuring User Rights Configuring Security Options Configuring Internet Options.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

Copyright © 2013 Curt Hill Database Security An Overview with some SQL.

Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.

ASP.NET Rina Zviel-Girshin Lecture 5

Module 9: Accessing Relational Data Using Microsoft Visual Studio.NET.

Session 8: ADO.NET. Overview Overview of ADO.NET What is ADO.NET? Using Namespaces The ADO.NET Object Model What is a DataSet? Accessing Data with ADO.NET.

Module 7: Accessing Data by Using ADO.NET

ADO.NET Data Access. Page  2 SQL  When we interact with the datasource through ADO.NET we use the SQL language to retrieve,modify,update information.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Introduction to ADO.NET ADO.NET - Lesson 01  Training time: 10 minutes  Author:

Presented by Joseph J. Sarna Jr. JJS Systems, LLC

Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.

Building Secure Web Applications With ASP.Net MVC.

ADO.NET connections1 Connecting to SQL Server and Oracle.

DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 The SqlConnection Object ADO.NET - Lesson 02  Training time: 10 minutes 

Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Chapter 15: Reliability and Security in Database Servers Neyha Amar CS 157B May 6, 2008.

ADO.NET FUNDAMENTALS BEGINNING ASP.NET 3.5 IN C#.

C# .NET Software Development

SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.

1 Chapter Overview Granting Database-Specific Permissions Using Application Roles Designing an Access and Permissions Strategy.

Active Data Objects Using.Net ADO.Net Farooq Ahmed Amna Umber Summayya Shehzad.

Module 2: Using ADO.NET to Access Data. Overview ADO.NET Architecture Creating an Application That Uses ADO.NET to Access Data Changing Database Records.

IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile.

SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance

.NET Data Access and Manipulation

Slide Set #24: Database security SY306 Web and Databases for Cyber Operations.

19 Copyright © 2008, Oracle. All rights reserved. Security.

Common SQL keywords. Building and using CASE Tools Data Base with Microsoft SQL-Server and C#

ASP.NET Programming with C# and SQL Server First Edition

SQL Server Security & Intrusion Prevention

Introduction to Database Processing with ADO.NET

Lecture 6 VB.Net SQL Server.

SQL Server Security For Everyone

Introduction to SQL Server 2000 Security

Tonga Institute of Higher Education

Defense in Depth Web Server Custom HTTP Handler Input Validation

SQL Server Security from the ground up

Chapter 10 ADO.

Copyright © 2013 – 2018 by Curt Hill

SQL Server Security from the ground up

Presentation transcript:

ADO.NET AND STORED PROCEDURES - Swetha Kulkarni

RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient System.Data.OracleClient System.Data.OleDb System.Data.Odbc System.Data.SqlServerCe Application Dataset

RDBMS ADO.NET Provider Application Dataset Connection

RDBMS ADO.NET Provider Application Dataset Dataadapter Connection Datatable

ADO.NET Objects  Contains the “main” classes of ADO.NET  In-memory cache of data  In-memory cache of a database table  Used to manipulate a row in a DataTable  Used to define the columns in a DataTable  Used to relate 2 DataTables to each other System.Data DataTable DataRow DataRelation DataColumn DataSet

Benefits of Stored Procedures  Stored procedures pass less information over the network on the initial request. Hence faster  Parameterized stored procedures that validate all user input can be used to thwart SQL injection attacks  Errors can be handled in procedure code without being passed directly to client applications  Stored procedures can be written once, and accessed by many applications

Security Overview – ADO.NET  Design for Security - Threat Modeling  The Principle of Least Privilege

Authentication  If possible, use Windows authentication  SqlConnection pubsConn = new SqlConnection( "server=dbserver; database=pubs; Integrated Security=SSPI;");  If you use SQL authentication, use strong passwords  SqlConnectionString = "Server=YourServer\Instance; Database=YourDatabase; uid=sa; pwd=;"  Consider Which Identity to Use to Connect to the Database

Ownership chain

Authorization  Restrict Unauthorized Code  Restrict Application Access to the Database

Configuration and Connection Strings  Avoid Credentials in Connection Strings  Store Encrypted Connection Strings in Configuration Files  Do Not Use Persist Security Info="true" or "yes"  Avoid Connection Strings Constructed With User Input

Exception Management  Use Finally Blocks to Make Sure that Database Connections Are Closed  Consider Employing the Using Statement to Make Sure that Database Connections Are Closed  Avoid Propagating ADO.NET Exceptions to Users  In ASP.NET, Use a Generic Error Page, Log exceptions on the server

Secure Data Access  Authentication, Authorization and Permissions  Parameterized Commands and SQL Injection  Script Exploits  Probing Attacks

Privacy and Data Security  Cryptography and Hash Codes  Encrypting Configuration Files  Securing String Values in Memory

Best Practices – Stored Procedures  Grant EXECUTE permissions for database roles  Revoke or deny all permissions to the underlying tables for all roles and users in the database  Do not add users or roles to the sysadmin or db_owner roles  Disable the guest account. This will prevent anonymous users from connecting to the database

References  _Security_Guidelines  us/library/ms aspx  us/library/bb aspx

Thank You