Presentation is loading. Please wait.

Presentation is loading. Please wait.

ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.

Published byPaul Robinson Modified over 8 years ago

Similar presentations

Presentation on theme: "ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient."— Presentation transcript:

1 ADO.NET AND STORED PROCEDURES - Swetha Kulkarni

2 RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient System.Data.OracleClient System.Data.OleDb System.Data.Odbc System.Data.SqlServerCe Application Dataset

3 RDBMS ADO.NET Provider Application Dataset Connection

4 RDBMS ADO.NET Provider Application Dataset Dataadapter Connection Datatable

5 ADO.NET Objects  Contains the “main” classes of ADO.NET  In-memory cache of data  In-memory cache of a database table  Used to manipulate a row in a DataTable  Used to define the columns in a DataTable  Used to relate 2 DataTables to each other System.Data DataTable DataRow DataRelation DataColumn DataSet

6 Benefits of Stored Procedures  Stored procedures pass less information over the network on the initial request. Hence faster  Parameterized stored procedures that validate all user input can be used to thwart SQL injection attacks  Errors can be handled in procedure code without being passed directly to client applications  Stored procedures can be written once, and accessed by many applications

7 Security Overview – ADO.NET  Design for Security - Threat Modeling  The Principle of Least Privilege

8 Authentication  If possible, use Windows authentication  SqlConnection pubsConn = new SqlConnection( "server=dbserver; database=pubs; Integrated Security=SSPI;");  If you use SQL authentication, use strong passwords  SqlConnectionString = "Server=YourServer\Instance; Database=YourDatabase; uid=sa; pwd=;"  Consider Which Identity to Use to Connect to the Database

9 Ownership chain

10 Authorization  Restrict Unauthorized Code  Restrict Application Access to the Database

11 Configuration and Connection Strings  Avoid Credentials in Connection Strings  Store Encrypted Connection Strings in Configuration Files  Do Not Use Persist Security Info="true" or "yes"  Avoid Connection Strings Constructed With User Input

12 Exception Management  Use Finally Blocks to Make Sure that Database Connections Are Closed  Consider Employing the Using Statement to Make Sure that Database Connections Are Closed  Avoid Propagating ADO.NET Exceptions to Users  In ASP.NET, Use a Generic Error Page, Log exceptions on the server

13 Secure Data Access  Authentication, Authorization and Permissions  Parameterized Commands and SQL Injection  Script Exploits  Probing Attacks

14 Privacy and Data Security  Cryptography and Hash Codes  Encrypting Configuration Files  Securing String Values in Memory

15 Best Practices – Stored Procedures  Grant EXECUTE permissions for database roles  Revoke or deny all permissions to the underlying tables for all roles and users in the database  Do not add users or roles to the sysadmin or db_owner roles  Disable the guest account. This will prevent anonymous users from connecting to the database

16 References  http://www.guidanceshare.com/wiki/ADO.NET_2.0 _Security_Guidelines  http://msdn.microsoft.com/en- us/library/ms971481.aspx  http://msdn.microsoft.com/en- us/library/bb669058.aspx

17 Thank You

Download ppt "ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient."

Similar presentations

Chapter 10 ADO. What is ADO? ADO is a Microsoft technology ADO stands for ActiveX Data Objects ADO is a programming interface to access data in a database.

Chapter 10 ADO. What is ADO? ADO is a Microsoft technology ADO stands for ActiveX Data Objects ADO is a programming interface to access data in a database.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Overview of ADO.NET Whidbey  Wallace B. McClure  Scalable Development, Inc. Scalable Development, Inc. Building systems today that perform tomorrow.

Overview of ADO.NET Whidbey  Wallace B. McClure  Scalable Development, Inc. Scalable Development, Inc. Building systems today that perform tomorrow.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
ODBC, OLE DB, and ADO Introduction Dr. Ron Eaglin.

ODBC, OLE DB, and ADO Introduction Dr. Ron Eaglin.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
ADO.NET A2 Teacher Up skilling LECTURE 3. What’s to come today? ADO.NET What is ADO.NET? ADO.NET Objects SqlConnection SqlCommand SqlDataReader DataSet.

ADO.NET A2 Teacher Up skilling LECTURE 3. What’s to come today? ADO.NET What is ADO.NET? ADO.NET Objects SqlConnection SqlCommand SqlDataReader DataSet.
Developing Web Applications Using Microsoft ® Visual Studio ® 2008.

Developing Web Applications Using Microsoft ® Visual Studio ® 2008.
A Simple Introduction. What is ADO.net? First the word ADO stands for ActiveX Data Objects And it is an integral part of.Net Framework of Microsoft hence.

A Simple Introduction. What is ADO.net? First the word ADO stands for ActiveX Data Objects And it is an integral part of.Net Framework of Microsoft hence.

Similar presentations

Ads by Google