J
John
Being a classic .asp programmer I'm very fond of the idea of using the drag
and drop DataList control that's in asp.net 2005. This sounds like it will
totally save me a ton of work and time in not having to recreate the wheel
as I find myself recoding the same basic data access controls/forms in
classic .asp for all of my user requests. The data that we have is
sensitive data and I've installed the Certificate Service on our IIS 5.0 web
server which should be encrypting the whole communication from our web
server to our database SQL Server 2000 server (which is on a different
machine). In using this https/ssl method I've been storing the connection
string in a connection string .asp file and have individual SQL logins for
each user that accesses the data to our SQL Server database.
I guess I'm not too clear on the back end things with this DataList control
since there's no script file being created with all of the statements. Is
using this DataList control secure in that SQL injection won't be possible?
Is it ok to use this control where all of the hidden backend SQL commands is
secure and that it won't be necessary in having to create and write
parameterized stored procedures as the known good programming practice?
Also, in continuation with my above paragraph I notice that in configuring
the SQLDataSource for the DataList control it appears that there will always
only be one so called "generic" login (whether it's Windows Authentication
or SQL Authentication being chosen in the Configure Data Source) as the
connection to our SQL Server in that we need to track all individual user
activity to the database. I had created an automatic profiler trace stored
procedure which has been extremely helpful for the past few years in doing
the 'heavy lifting' of documenting all user activity and operation on the
database. So is there a way to modify the connection setting to allow any
individual with valid SQL login credentials to connect to our SQL Server?
Will the current https/ssl set up that I have for my classic .asp
applications be ok to implement the same way in creating asp.net 2005
applications in that the connection string will be stored as a SQL
authentication string in one of the asp.net 2005 project files since the
whole communication layer is being encrypted?
John
and drop DataList control that's in asp.net 2005. This sounds like it will
totally save me a ton of work and time in not having to recreate the wheel
as I find myself recoding the same basic data access controls/forms in
classic .asp for all of my user requests. The data that we have is
sensitive data and I've installed the Certificate Service on our IIS 5.0 web
server which should be encrypting the whole communication from our web
server to our database SQL Server 2000 server (which is on a different
machine). In using this https/ssl method I've been storing the connection
string in a connection string .asp file and have individual SQL logins for
each user that accesses the data to our SQL Server database.
I guess I'm not too clear on the back end things with this DataList control
since there's no script file being created with all of the statements. Is
using this DataList control secure in that SQL injection won't be possible?
Is it ok to use this control where all of the hidden backend SQL commands is
secure and that it won't be necessary in having to create and write
parameterized stored procedures as the known good programming practice?
Also, in continuation with my above paragraph I notice that in configuring
the SQLDataSource for the DataList control it appears that there will always
only be one so called "generic" login (whether it's Windows Authentication
or SQL Authentication being chosen in the Configure Data Source) as the
connection to our SQL Server in that we need to track all individual user
activity to the database. I had created an automatic profiler trace stored
procedure which has been extremely helpful for the past few years in doing
the 'heavy lifting' of documenting all user activity and operation on the
database. So is there a way to modify the connection setting to allow any
individual with valid SQL login credentials to connect to our SQL Server?
Will the current https/ssl set up that I have for my classic .asp
applications be ok to implement the same way in creating asp.net 2005
applications in that the connection string will be stored as a SQL
authentication string in one of the asp.net 2005 project files since the
whole communication layer is being encrypted?
John