Web Application Interface to SQL Queries - sql

Looking for advice on web development languages/tools for a simple project. I have used HTML to create simple sites before but they were primarily just static information. I have no experience with web scripting, etc. at this point.
Our company has a half dozen or so Transact SQL queries that produce simple text reports from our SQL Server database. I would like to create a simple web type application so that users on our intranet can run these queries themselves vs. asking for what they need.
The queries require minimal input from the user. Typically they would only need to enter a start and stop date or a customer number, or an invoice number.
The application needs to be functional, not especially pretty. I want the user to be asked for the above type input as appropriate and then specify where a file with the reults should be written on their computer.
On other projects I have done some Python programming in conjunction with the SQL Server database, just nothing that interacts with a web site or that has a GUI.
Thank you in advance for your suggestions.

You'll very least need to know a server side language such as PHP or Python to make the queries. Maybe a CGI script?

Most commonly used, I believe, is PHP. It is well-documented and meant for the what you want to do, contrary to Python, which doesn't play as nice with HTML as PHP. As stated on the PHP website, it is quite popular and as such has quite a few tutorials online. After you understand the syntax - you said you have programmed in Python, so only the syntax would be new to you - you should look into how to connect with your SQL Server. Microsoft owns that, so I hope (for them) they explain it well enough: http://technet.microsoft.com/en-us/library/cc793139(v=sql.90).aspx. That should equip you with what is needed for what you describe in the question.
I found this question as well: Can PHP work with a MS SQL database. The accepted answer suggests you can use PDO as well to connect to SQL Server. I recommend PDO over the mssql_ functions, because it offers an object oriented API and and an API that makes prepared statements real easy, among others.

Related

365 PowerApps vs. Visual Studio (VB.net)

For my small company I am trying to build a data input form for several departments that input data into SQL tables. I would like to give the user the ability to input data, update existing data, and see graphs of historical data that they have inputted.
I personally know VB.net but my IT head wants to use PowerApp. No one knows PowerApp in the company but he thinks it will be easier to use and implement/share across the company.
Is PowerApp easy to learn?
Can Power App input data into MS SQL?
In general, which is better for my intended use?
Thank you!
YMMV, but in general PowerApps is easier than a programming-language based platform for building apps. It won't be as powerful as the latter, but for the specific example that you mentioned (data input, presentation), it should be fine. Take a look at the documentation, especially in the section about creating an app automatically from your data (the link talks about apps from SharePoint, but the same works for SQL Server as well)
Yes, data integration is built in the platform, and SQL Server (both SQL Azure and on-premises installations of SQL Server) is supported
As always, it depends (which is why this question may be closed for being primarily opinion-based). A full-fledged programming language will always have more power than a "no-code/low-code" solution such as PowerApps, but if what you need to do is within the domain of that solution, it will likely be easier to implement. PowerApps also makes it easier to deploy the app in mobile devices (iOS / Android), which is not as easy to do with VB.NET, but again, that depends on your scenario.

Is SQL injection or hacking possible in the Yii web application?

I am new in Yii. I want to know is SQL injection or any hacking possible in the Yii web application? If possible how to avoid that problem?
Yes. Any "hacking" is possible in any web application.
Because no software makes an application safe, but a programmer. Yii is only a tool, but how to use it is entirely up to one who uses it.
So, you have to learn how to use Yii and technology and security basics in general. Without such education that cannot be done by means of asking and answering just one question, one cannot create a safe application.
To make this answer not entirely off topic, as long as you're using Yii ActiveRecord, you can consider your code SQL injection safe, because AR takes the trouble of creating SQL queries for you.
Yeah. It depends to the programmer how he/she use the code, If executed correctly.. Try to read the document of Yii, they show it how to use the code properly and to make it anti sql injection.
Yes. The saying "Security is insecurity." is a big issue in web security.
Everything is hack-able, but it depends on the security of system & performance of the device trying to hack. If the hacker trying to hack a website by a Normal PC may takes Millions of year, but using a Quantum Computer may break within a second.
In case of web application build from Yii PHP Framework, it may also be hack-able. Some how this framework provides strong security measures.

A simple C MySQL client - direct access safe enough?

I want to develop a (very) simple MySQL client application in C, for Ubuntu Linux. The functionality for now should include just adding new records to the database (on a remote server). I've experimented with the MySQL API and wrote a simple program that does this locally, however I'm not sure if that's the way to go with a remote database (on a server). Should I just directly connect? Is that safe? Or maybe I should use cURL to access a PHP script which would then process the queries for me?
Thanks in advance.
It is fine and perfectly safe to directly connect using C, that is what the API is there for. Remember the usual rules apply when handling user input, validate heavily and escape strings, but this is not something unique to C.
If you feel you'd rather work in MySQL with PHP you can always output data in an easier to use format to work with in C and save yourself having to use the MySQL library, it depends on your performance requirements as to what you do I guess. Personally I got tired of building raw SQL queries and models in C very quickly. MySQL++ (C++) can alleviate the pain somewhat, but C/C++ are just not as nice as other languages for this kind of thing.
You state that it is a remote server. If you have already built a lot of infrastructure in PHP I'd be inclined to use that and build an interface between your client application and the database. Of course what you do depends entirely on the requirements of your application.

Embedded SQL editor for web pages

We are developing a web application in Java/Java EE where users should be able to type in the SQL queries, and should be able to see syntax coloring, table view, content help etc.
Please suggest any third party tools which can be embedded into webpages which does this.
The closest thing I can find is this http://archive.eso.org/wdb/html/wdb.html. I have never used it and it may require an interface implentation for the specific DB you use (see the dev section http://archive.eso.org/wdb/html/doc/WDB/node1.html).
I think the problem is most web front ends specialise in one particular DBMS instead of being agnostic and most are not written in a way that enables components to be dropped into other applications.
The WDB code may give you a starting point on coding this yourself though.
Is there are particulare DBMS that you need to support?
You might have more joy looking into available third party SQL parsers and hooking them up in a web page with AJAX. I would expect any third party library worth it's salt to already try and detect SQL injection but it would be wise to verify that's the case.

Consuming web services from Oracle PL/SQL

Our application is interfacing with a lot of web services these days. We have our own package that someone wrote a few years back using UTL_HTTP and it generally works, but needs some hard-coding of the SOAP envelope to work with certain systems. I would like to make it more generic, but lack experience to know how many scenarios I would have to deal with. The variations are in what namespaces need to be declared and the format of the elements. We have to handle both simple calls with a few parameters and those that pass a large amount of data in an encoded string.
I know that 10g has UTL_DBWS, but there are not a huge number of use-cases on-line. Is it stable and flexible enough for general use? Documentation
I have used UTL_HTTP which is simple and works. If you face a challenge with your own package, you can probably find a solution in one of the many wrapper packages around UTL_HTTP on the net (Google "consuming web services from pl/sql", leading you to e.g.
http://www.oracle-base.com/articles/9i/ConsumingWebServices9i.php)
The reason nobody is using UTL_DBWS is that it is not functional in a default installed database. You need to load a ton of Java classes into the database, but the standard instructions seem to be defective - the process spews Java errors right and left and ultimately fails. It seems very few people have been willing to take the time to track down the package dependencies in order to make this approach work.
I had this challenge and found and installed the 'SOAP API' package that Sten suggests on Oracle-Base. It provides some good envelope-creation functionality on top of UTL_HTTP.
However there were some limitations that pertain to your question. SOAP_API assumes all requests are simple XML- i.e. only one layer tag hierarchy.
I extended the SOAP_API package to allow the client code to arbitrarily insert an extra tag. So you can insert a sub-level such as , continue to build the request, and remember to insert a closing tag.
The namespace issue was a bear for the project- different levels of XML had different namespaces.
A nice debugging tool that I used is TCP Trace from Pocket Soap.
www.pocketsoap.com/tcptrace/
You set it up like a proxy and watch the HTTP request and response objects between client and server code.
Having said all that, we really like having a SOAP client in the database- we have full access to all data and existing PLSQL code, can easily loop through cursors and call the external app via SOAP when needed. It was a lot quicker and easier than deploying a middle tier with lots of custom Java or .NET code. Good luck and let me know if you'd like to see my enhanced SOAP API code.
We have also used UTL_HTTP in a manner similar to what you have described. I don't have any direct experience with UTL_DBWS, so I hope you can follow up with any information/experience you can gather.
#kogus, no it's a quite good design for many applications. PL/SQL is a full-fledged programming language that has been used for many big applications.
Check out this older post. I have to agree with that post's #1 answer; it's hard to imagine a scenario where this could be a good design.
Can't you write a service, or standalone application, which would talk to a table in your database? Then you could implement whatever you want as a trigger on that table.