Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Accessing MSSQL using a web browser Expand / Collapse
Author
Message
Posted Friday, July 19, 2013 4:01 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, July 24, 2013 3:48 AM
Points: 3, Visits: 6
I have seen various posts showing interest in being able to perform simple queries and execute storedprocs on MSSQL using a web browser. I had a similar interest so I developed a web app to do it. The beta is here: http://esqlclient.azurewebsites.net

I'd be interested to know whether people think this is useful and what issues (licensing, security, traffic etc.) there might be. I only tested it on MSSQL 2012 but it may work for earlier versions that are exposed to the internet. It also works for Azure SQL.

The beta will be taken down in a few days so feel free to use it until then and let me know what you think. It should be fairly obvious how to connect but let me know if not. Once connected, you can perform T-SQL and execute SPs according to the permissions set by your DBA.
Post #1475346
Posted Monday, July 22, 2013 6:28 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Today @ 5:02 AM
Points: 912, Visits: 2,875
octavuslimited (7/19/2013)
I'd be interested to know whether people think this is useful and what issues (licensing, security, traffic etc.) there might be.

The only issue I have is typing my server name, user name and password into some random website.




The SQL Guy @ blogspot

@SeanPearceSQL

About Me
Post #1475980
Posted Monday, July 22, 2013 8:47 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, July 24, 2013 3:48 AM
Points: 3, Visits: 6
Hi Sean, you make a good point (though I do detect a little sarcasm in your tone perhaps?!). Actually, the server, user and password are all encrypted (RSA 1024bit) and the returned data will be encrypted with SSL which takes care of the www in general and none of that information is stored by the application (saved credentials are stored as local cookie). After that, yes, it's a question of do you trust the host, which is the same risk with any purveyor of web-based services?
Post #1476045
Posted Monday, July 22, 2013 8:58 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Today @ 7:36 AM
Points: 12,991, Visits: 12,405
octavuslimited (7/22/2013)
Hi Sean, you make a good point (though I do detect a little sarcasm in your tone perhaps?!). Actually, the server, user and password are all encrypted (RSA 1024bit) and the returned data will be encrypted with SSL which takes care of the www in general and none of that information is stored by the application (saved credentials are stored as local cookie). After that, yes, it's a question of do you trust the host, which is the same risk with any purveyor of web-based services?


Please tell me you encrypt the contents of that cookie and not store it in plain text in the cookie.


_______________________________________________________________

Need help? Help us help you.

Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

Need to split a string? Try Jeff Moden's splitter.

Cross Tabs and Pivots, Part 1 – Converting Rows to Columns
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs
Understanding and Using APPLY (Part 1)
Understanding and Using APPLY (Part 2)
Post #1476056
Posted Monday, July 22, 2013 9:11 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 8:58 PM
Points: 31,075, Visits: 15,519
There are serious security questions here. You seem to think that encrypting the communications is enough. I'm not sure you've done that correctly, as the form you send needs to be completely encrypted with SSL, including all elements (images), or there are potential attack vectors.

As Sean alluded, storing credentials in a cookie, which is an attack vector, is a problem.

However, the bigger problem is you don't seem to think that the fact you're asking people to post security credentials to a form, that goes to your server. You are essentially phishing for people's servers, IPs, user names, and passwords. The user has no verification that you aren't storing this information.

My vote would be no, this isn't useful as a service. As a project I could set up for myself, see the code, and connect to my own servers, perhaps.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1476064
Posted Monday, July 22, 2013 9:19 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Yesterday @ 9:07 AM
Points: 341, Visits: 2,461
octavuslimited (7/19/2013)
I have seen various posts showing interest in being able to perform simple queries and execute storedprocs on MSSQL using a web browser. I had a similar interest so I developed a web app to do it. The beta is here: http://esqlclient.azurewebsites.net

I'd be interested to know whether people think this is useful and what issues (licensing, security, traffic etc.) there might be. I only tested it on MSSQL 2012 but it may work for earlier versions that are exposed to the internet. It also works for Azure SQL.

The beta will be taken down in a few days so feel free to use it until then and let me know what you think. It should be fairly obvious how to connect but let me know if not. Once connected, you can perform T-SQL and execute SPs according to the permissions set by your DBA.


I think this is an awesome project! If you wouldn't mind, could you give me the username and password to that web server so I can check out your source code? Thanks in advance!
Post #1476071
Posted Monday, July 22, 2013 9:41 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Today @ 6:44 AM
Points: 12,901, Visits: 32,135
my concerns mirror steve's;
If this was a suite of web pages i dropped into a virtual folder on my own IIS server, yeah it would probably be a good idea.
If your example pointed to YOUR server, where i could test drive the interface, that would make me go farther than the in initial page.

I know i've built my own "PanicPage" on my web servers so that if the application goes down, i should, in theory, be able to connect to my sql server, which is not exposed to direct connections, and only from the web server itself.

so that's where i'd see a value with this; say i corrupted my main web site, and couldn't access it, or the code/css got so doinked i couldn't click buttons or something in the main layout.


Lowell

--There is no spoon, and there's no default ORDER BY in sql server either.
Actually, Common Sense is so rare, it should be considered a Superpower. --my son
Post #1476091
Posted Monday, July 22, 2013 11:02 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Today @ 5:02 AM
Points: 912, Visits: 2,875
Sean Pearce (7/22/2013)
octavuslimited (7/19/2013)
I'd be interested to know whether people think this is useful and what issues (licensing, security, traffic etc.) there might be.

The only issue I have is typing my server name, user name and password into some random website.

It's not sarcasm, it's a genuine concern of phishing. There is no way I would enter this information into a form on someone else's website.




The SQL Guy @ blogspot

@SeanPearceSQL

About Me
Post #1476149
Posted Tuesday, July 23, 2013 5:35 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, July 24, 2013 3:48 AM
Points: 3, Visits: 6
OK, I understand the concern about "phishing" but still believe it comes down to an issue of trust with the vendor. The application requires the same information that you would provide to access Azure SQL for example so obviously there is greater trust with Microsoft than an unknown vendor, I get that! Otherwise, it's not an issue specific to this application but to cloud/web services in general? Any time you put your data, application, whatever, on someone else's server (Microsoft, Google, Facebook, etc.) they have access to the content, no matter what encryption protects your data from everyone else since they know your credentials? Is it enough that you know the legal entity you are dealing with and they have a Privacy Policy?

That said, obviously the site IS protected with SSL and the cookie is NOT stored as a text file (I already said it is RSA encrypted), besides which storing the credentials is optional. Since the project was done to address an internal need, I also fully understand that it is more appealing as an internal solution than an external one so I'd be happy to release a compiled version that could be hosted on the client's own servers as seems to be the general suggestion? As I said, I was previously looking to see if anyone else had already developed such and application and only found similar questions, no answers...

For Lowell and Sean, if you do want to test the application further, I have set up a Guest login and a test database that you can use without fear of phishing! Just PM me and I will give you the info as I really do appreciate the constructive criticism. Otherwise, the encrypted site is now up if you want to take a look: esqlclient.azurewebsites.net

Post #1476510
Posted Tuesday, July 23, 2013 8:48 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 8:58 PM
Points: 31,075, Visits: 15,519
octavuslimited (7/23/2013)
OK, I understand the concern about "phishing" but still believe it comes down to an issue of trust with the vendor. The application requires the same information that you would provide to access Azure SQL for example so obviously there is greater trust with Microsoft than an unknown vendor, I get that! Otherwise, it's not an issue specific to this application but to cloud/web services in general?



Not correct. For Azure, they have my credentials to what I host there. Not what I host elsewhere. You allowing anyone to connect to another server means that you are the man in the middle, with credentials to machines outside your service.

There certainly is greater trust with MS since they have more liability and I have more recourse with them. With you, I have no idea who you are, your assets, or your ability to make good any issues.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1476625
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse