I really don't like the concept of opening my SQL server(s) to the internet - even if I can lock down the firewall. However I've always been working directly with databases. I'm building a system now which involves 1 SQL Server database, a web application in ASP.NET/C#, and a few windows applications in Delphi XE2. But from the beginning, I'd like to put some sort of 'filter' around the database so I don't have to open it up.
I know there are many things out there for this, but don't know anything about them or what to get for my scenario. I'd like to keep it native to SQL Server; I don't plan on using any other type of database engine.
It needs to be connected from client to server by other means than the standard SQL connection, like a filter. It creates its own encrypted packets and transfers data its own way. I will have a wrapper class for both Delphi and C# which will pretty much be identical - and be able to stream its data into the DLL to interact with the DB.
Now there are three different ways I can go about this...
Complete SQL Server wrapper, most likely no source code, might even have its own language (I don't want to pick up another database language), and independent from my project as its own separate system.
Open-source wrapper, preferably in Delphi (XE2), or if not then C#, specific protocols for my system, entirely dedicated to my project, and in the final form of a DLL which can be used on both the Website (in C#) and the applications (in Delphi).
Web Service - however I only have 1 hosting spot (Paying for 1 site, 2nd site will be a double charge on me). I can't host any additional web services or windows services; it has to be integrated with the website. Otherwise, I would have done a web service for this.
I would much prefer the second option, and do not want to go anywhere close to the first one, and can't do the third one at all.
So any good libraries for database layers? And might there be some already installed in Delphi XE2? I'm thinking maybe an encrypted XML packet?
As an example, let's say I have a table for 'Customers'. In both my website and applications, I should never have any SQL script like select * from Customers or no SQL script in general. Instead, I will have a wrapper around the database. So I can call a function such as DBGetCustomers(Conditions: TGetCustomersConditions): TDBCustomers; where TGetCustomersConditions is some way of filtering the query, and TDBCustomers represents the results from the query.
There could also be a function DBAddCustomer(Item: TCustomerToAdd): TInsertSuccess; where TCustomerToAdd represents what to insert, and TInsertSuccess represents any result, such as error message(s) or rows affected. I do not intend for it to be working exactly like this, but just to explain the concept of any wrapper in general. When the app sends to request to the server, it still has not converted anything to a SQL Query. By the time the request gets to the server (which is able to connect to the database), then the server alone decodes everything to the SQL query.
What's the problem even if you have just one "hosting spot"? A web service is just a "site". And a web server can easily host multiple site even with a single IP address. Anyway, what you're looking for is an "application server" in a multi-tier design.
While Java invested heavily in that direction, MS did not. Delphi has Datasnap, which is a so-so framework, don't know if the new "restful" interface is easily callable from C#, it looks to have security flaws though. The .NET way of doing it is using WCF, as long as it uses a standard protocol you can call if from Delphi has well.
You could also look at RemObjects DataAbstract. It's not open source, but it is a mature library.
One of the 'traditional' ways to do this is via webservices (although this technique is now considered by some to be a bit dated).
One disadvantage is that it is not a generic wrapper you can throw around the database, but it has the advantage that you can limit access to the database easily to specific stored procedures for example, which will maximise security, and is a standard technique if you wish to provide limited authorised access to external applications.
If you already use a ASP.NET C# web application, you could also add a WCF (Windows Communication Foundation) based web service to your web site. This can provide database access to external applications, which need to connect the web service somehow. It should even be possible to use the same HTTP standard port for both the normal web site pages and the service, by mapping the web service to a specific context path like www.example.com/services/servicename
Kbmw allows you to make a ntier db architecture.
However since you have a web application involved, a better option would be WCF (as already suggested)
Related
Hi i have a C# WinForms app. I wrote essential methods on C#. But I need a login form and its not safe since apps like dotpeek can inspect the source code and hack it. Can i communicate with another application that is written in another language (java,c,python etc). I need to send input data from WinForms C# to another app then it should connect to database and check if login succesfull then return a value back to C# WinForms app. Is that possible, how can i implement that? I dont want to write all application in another language since C# has good methods to process images/pixels and gui support with very small memory usage.
I got the point you are trying to make.
One thing to admit is that you can't completely avoid decompiling of apps. C# or C++, no matter anything can be reverse engineered.
If you still need it, a comparatively safer approach is to not put the checking app at the client's machine. Create an API and host the database on a server.
Then initiate just an Http Request to the server from your Windows Forms app.
Then you have the full control of Login API and database. Many applications use OAuth similar to this. Another examples are apps verify it's license using an online API.
You can get a LightSail Windows server in around $10 a month if you want to setup. Try exploring
Your concern is not baseless. C#, or for that matter, any .net language running on the CLR, will be easier to inspect than a language like C or C++.
Having said that, no app will be completely secure, and communicating between apps has its own problems. How does one app verify the other? etc. You can create a web service that would communicate with the database (and communicate with the web service using HTTP or WCF) which would mean your app wouldn't have direct access to the database, but that would only protect the database from your app, it would still allow someone to inspect your app and use the web service, impersonating your app. Also, you would need to host the web service on some web hosting service, and then you would have to trust that service to not inspect your app...
You can reduce the problem by storing the password etc. as byte arrays, but regardless of what you do, I don't know of a way to completely safeguard your app. If a malicious app/actor is on your computer they can inspect your app.
As for your question itself - look into WCF or named pipes (includes a simple example).
I'm coding an application which will be given to many clients, in order to not allow them to direct access to my database I started developing a server application with C++ which receives the client requests, interact with the database and send the responses. but this seems to be a little bit complicated, is it better to allow the client application to interact with the remote database ? and is there any risks with this?
First solution :
Second solution :
Typically you would abstract the database with an interface. A classic would be odata, which visual studio can build as an asp web service from a wizard. This is restful as Joakim recommended.
https://en.wikipedia.org/wiki/Database_abstraction_layer
There are various options like the one mentioned by 'tim' which can be done without using ODATA; that means creating a data layer (separate application) which will cater the requests from client and wont let them access the database directly. However, before suggesting I would like to know how you are hosting the web application?
You can still achieve no-access by client by blocking remote access to the database.
The concerns depend on your code and structure; both approaches are valid!
if you have a C# client why not use a C# WCF server?
what you do in soultion 1 is usually the best practice.
it allows you to:
*later switch the database.
*hides from your client the database's structure.
meaning that if someone decompiles your client they wont know how to attack you.
but it is more complex and takes lots of extra work.
if you don't fear someone will hack your database.
and you KNOW the database structure will undergo only very minor changes EVER.
you can skip this and talk strait to the database.
but you are probably wrong.
I am writing a plugin for an application in C#. The plugin allows me full access to the internal information model for the application.
I would like to create a mechanism to allow external applications to be able to connect to the information so they can report on it etc.
In days of old this used to be achieved via ODBC links - is that still the way to go.
I assume it's a significant task to create an ODBC driver for this, are there any easier recommendations or example C# code for cresting a driver.
Looking back I was not very clear in the original question. The requirement is to allow two applications on the same PC to share data. The "host" application use a proprietary storage format and as such access to the data cannot be achieved without using the "Host" application. The "host" applications allows the development of plugins (using C#) and the plugins have access to all of the data within the application. On that basis I was exploring whether a plugin could therefore expose an interface to an other external application and as such could act as a "Data Access Layer"
My reference to ODBC is probably a "red herring" - just shows how out of touch I am in this area.
Probably you are looking for something like Remoting and\or Web Services and\or the more modern WCF (windows communication foundation).
You can write your own services and access to that services from every language you want.
C# support for WCF and Remoting and WebServices is very good and allow you to write your server-client infrastructure in a very clean, object oriented and easy way.
Use HTTP: each services is handled in a serialized object sent in XML through an HTTP server, for example, IIS.
Clients can be written in every kind of language you want, from PHP to C# to C++ to JAVA to wathever, they need only to connect through HTTP and parse\deserialize\serialize XML.
You can choose your architecture. If both clients and servers are written in C# all is transparent to you, serialization and deserialization of XML, remote procedure call and IIS integration are all ready for you to use. You need only to write your applications.
You can export services instead of tables like a relational DBMS does, in this way you can divide the logic of your system from the data layer and the presentation layer.
In this way you can obtain scalability, multiplatform and multisystem support.
Some links to read:
http://en.wikipedia.org/wiki/Windows_Communication_Foundation
http://www.codeproject.com/KB/webservices/myservice.aspx
http://msdn.microsoft.com/en-us/library/aa730857(v=vs.80).aspx
http://msdn.microsoft.com/en-us/library/kwdt6w2k(v=vs.71).aspx
http://blogs.microsoft.co.il/blogs/bursteg/archive/2008/02/10/how-to-build-an-n-tier-application-with-wcf-and-datasets-in-visual-studio-2008.aspx
http://msmvps.com/blogs/williamryan/archive/2008/05/16/doing-tiers-with-wcf.aspx
Instead, if you are in an intranet, for example, or a single computer and you want just to share a DB service, you can just use SQLServer or MySql or PostgreSql and connect to it via TCP/IP.
Is not safe\secure however to expose a DB service on internet or in an intranet where security can be a problem.
Note also that SQLServer Express is free and may be suitable for you if you don't have much users\connections or a DB not greater than 4gb.
MySql and PostgreSql are free and open source.
Now, i am planning to have 1 main computer and 2 client computer in the same domain. I want to run a form application in the main computer that uses Sqlite database. Then I want to query some data in the main computer from client computers. What would be your suggestions about those 2 questions of mine:
What is the best way to implement this server-client structure to communicate computers.
What is the best way to get a big datatable from main computer that uses sqlite.
I am using .Net Framework 4.0 for Form applications.
you may share the directory, either via Netbios (aka samba, for linux users) or nfs.
however, this is not a good idea, since sqlite locks the file, this may break your implementation if the filesystem fails for whatever reason. you might want to use a real distributed architecture, helping concurrency and load balancing.
another way would be to use sqlite, but proxy it through a web service, made by you specifically for this. it will serve the requests, and it would be run in the same server where you want the sqlite file, so you can avoid sharing the file/directory containing the database
You could set up a WCF service that serializes and deserializes commonly shared model/domain objects. WCF sends it across the wire.
I'm going to develop a POS system for medium scale company
and the requirement for me is to make all data on time for all of their branches
while in my mind, move the server from local to web would solve this problem
but, i never done any online server for window application
may i know what is the best option for use as secure database ?
such as SQL can handle this well ?
i tried to google but all of the result return is not what i want
may i know what will you do when you facing this problem ?
my knowledge on coding is just VB and CS
also SQL for database
i would like to learn new if there is better option
i hope it is impossible to access by anonymous and it is store secure at back-end only
What you probably want to do is create a series of services exposed on the internet and accessed by your application. All database access would be mediated by these services. For security you would probably want to build them in WCF and expose them through IIS. Then your Windows application would just call these services for most of its processing.
If you design it properly you could also have it work with a local database as well so that it could work in a disconnected manner if, for example, your servers go down.
Typically you don't move the server off of the site premises.
The problem is that they will go completely down in the event your remote server is inaccessible. Things that can cause this are internet service interruption (pretty common), remote server overloaded (common enough), basically anything that can stop the traffic between the store location and your remove server will bring them to their knees. The first time this happens they'll scream. The second time and they'll want your head due to the lost sales.
Instead, leave a sql server at each location. Set up a master sql server somewhere. Then set up a VPN connection between the stores and this central office. Finally, have the store sql boxes do merge replication with the central office. Incidentally, don't use the built in replication, but an off the shelf product which specializes in replicating sql server. The built in one can be difficult to learn.
In the event their internet connection goes dark the individual stores will still be able to function. It will also remain performant as all of the desktop app traffic is purely to the local sql box.
Solving replication errors is much easier than dealing with a flaky ISP.
I would recommend you to check Viravis Platform out.
It is an application platform that also can be used just as an online database for any .NET client with the provided SDK. It has its own generic windows and web clients and some custom web solutions for some specific applications.
You may be using it as a complete solution or as a secure online database backend.