SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Accessing MSSQL using a web browser


Accessing MSSQL using a web browser

Author
Message
octavuslimited
octavuslimited
Grasshopper
Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)

Group: General Forum Members
Points: 13 Visits: 6
I have seen various posts showing interest in being able to perform simple queries and execute storedprocs on MSSQL using a web browser. I had a similar interest so I developed a web app to do it. The beta is here: http://esqlclient.azurewebsites.net

I'd be interested to know whether people think this is useful and what issues (licensing, security, traffic etc.) there might be. I only tested it on MSSQL 2012 but it may work for earlier versions that are exposed to the internet. It also works for Azure SQL.

The beta will be taken down in a few days so feel free to use it until then and let me know what you think. It should be fairly obvious how to connect but let me know if not. Once connected, you can perform T-SQL and execute SPs according to the permissions set by your DBA.
Sean Pearce
Sean Pearce
Hall of Fame
Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)

Group: General Forum Members
Points: 3786 Visits: 3436
octavuslimited (7/19/2013)
I'd be interested to know whether people think this is useful and what issues (licensing, security, traffic etc.) there might be.

The only issue I have is typing my server name, user name and password into some random website.



The SQL Guy @ blogspot

@SeanPearceSQL

About Me
octavuslimited
octavuslimited
Grasshopper
Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)

Group: General Forum Members
Points: 13 Visits: 6
Hi Sean, you make a good point (though I do detect a little sarcasm in your tone perhaps?!). Actually, the server, user and password are all encrypted (RSA 1024bit) and the returned data will be encrypted with SSL which takes care of the www in general and none of that information is stored by the application (saved credentials are stored as local cookie). After that, yes, it's a question of do you trust the host, which is the same risk with any purveyor of web-based services?
Sean Lange
Sean Lange
SSC Guru
SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)

Group: General Forum Members
Points: 58841 Visits: 17935
octavuslimited (7/22/2013)
Hi Sean, you make a good point (though I do detect a little sarcasm in your tone perhaps?!). Actually, the server, user and password are all encrypted (RSA 1024bit) and the returned data will be encrypted with SSL which takes care of the www in general and none of that information is stored by the application (saved credentials are stored as local cookie). After that, yes, it's a question of do you trust the host, which is the same risk with any purveyor of web-based services?


Please tell me you encrypt the contents of that cookie and not store it in plain text in the cookie.

_______________________________________________________________

Need help? Help us help you.

Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

Need to split a string? Try Jeff Modens splitter.

Cross Tabs and Pivots, Part 1 – Converting Rows to Columns
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs
Understanding and Using APPLY (Part 1)
Understanding and Using APPLY (Part 2)
Steve Jones
Steve Jones
SSC Guru
SSC Guru (138K reputation)SSC Guru (138K reputation)SSC Guru (138K reputation)SSC Guru (138K reputation)SSC Guru (138K reputation)SSC Guru (138K reputation)SSC Guru (138K reputation)SSC Guru (138K reputation)

Group: Administrators
Points: 138913 Visits: 19406
There are serious security questions here. You seem to think that encrypting the communications is enough. I'm not sure you've done that correctly, as the form you send needs to be completely encrypted with SSL, including all elements (images), or there are potential attack vectors.

As Sean alluded, storing credentials in a cookie, which is an attack vector, is a problem.

However, the bigger problem is you don't seem to think that the fact you're asking people to post security credentials to a form, that goes to your server. You are essentially phishing for people's servers, IPs, user names, and passwords. The user has no verification that you aren't storing this information.

My vote would be no, this isn't useful as a service. As a project I could set up for myself, see the code, and connect to my own servers, perhaps.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
patrickmcginnis59 10839
patrickmcginnis59 10839
SSCarpal Tunnel
SSCarpal Tunnel (4.1K reputation)SSCarpal Tunnel (4.1K reputation)SSCarpal Tunnel (4.1K reputation)SSCarpal Tunnel (4.1K reputation)SSCarpal Tunnel (4.1K reputation)SSCarpal Tunnel (4.1K reputation)SSCarpal Tunnel (4.1K reputation)SSCarpal Tunnel (4.1K reputation)

Group: General Forum Members
Points: 4112 Visits: 5885
octavuslimited (7/19/2013)
I have seen various posts showing interest in being able to perform simple queries and execute storedprocs on MSSQL using a web browser. I had a similar interest so I developed a web app to do it. The beta is here: http://esqlclient.azurewebsites.net

I'd be interested to know whether people think this is useful and what issues (licensing, security, traffic etc.) there might be. I only tested it on MSSQL 2012 but it may work for earlier versions that are exposed to the internet. It also works for Azure SQL.

The beta will be taken down in a few days so feel free to use it until then and let me know what you think. It should be fairly obvious how to connect but let me know if not. Once connected, you can perform T-SQL and execute SPs according to the permissions set by your DBA.


I think this is an awesome project! If you wouldn't mind, could you give me the username and password to that web server so I can check out your source code? Thanks in advance!

to properly post on a forum:
http://www.sqlservercentral.com/articles/61537/
Lowell
Lowell
SSC Guru
SSC Guru (67K reputation)SSC Guru (67K reputation)SSC Guru (67K reputation)SSC Guru (67K reputation)SSC Guru (67K reputation)SSC Guru (67K reputation)SSC Guru (67K reputation)SSC Guru (67K reputation)

Group: General Forum Members
Points: 67218 Visits: 40887
my concerns mirror steve's;
If this was a suite of web pages i dropped into a virtual folder on my own IIS server, yeah it would probably be a good idea.
If your example pointed to YOUR server, where i could test drive the interface, that would make me go farther than the in initial page.

I know i've built my own "PanicPage" on my web servers so that if the application goes down, i should, in theory, be able to connect to my sql server, which is not exposed to direct connections, and only from the web server itself.

so that's where i'd see a value with this; say i corrupted my main web site, and couldn't access it, or the code/css got so doinked i couldn't click buttons or something in the main layout.

Lowell
--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!
Sean Pearce
Sean Pearce
Hall of Fame
Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)

Group: General Forum Members
Points: 3786 Visits: 3436
Sean Pearce (7/22/2013)
octavuslimited (7/19/2013)
I'd be interested to know whether people think this is useful and what issues (licensing, security, traffic etc.) there might be.

The only issue I have is typing my server name, user name and password into some random website.

It's not sarcasm, it's a genuine concern of phishing. There is no way I would enter this information into a form on someone else's website.



The SQL Guy @ blogspot

@SeanPearceSQL

About Me
octavuslimited
octavuslimited
Grasshopper
Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)

Group: General Forum Members
Points: 13 Visits: 6
OK, I understand the concern about "phishing" but still believe it comes down to an issue of trust with the vendor. The application requires the same information that you would provide to access Azure SQL for example so obviously there is greater trust with Microsoft than an unknown vendor, I get that! Otherwise, it's not an issue specific to this application but to cloud/web services in general? Any time you put your data, application, whatever, on someone else's server (Microsoft, Google, Facebook, etc.) they have access to the content, no matter what encryption protects your data from everyone else since they know your credentials? Is it enough that you know the legal entity you are dealing with and they have a Privacy Policy?

That said, obviously the site IS protected with SSL and the cookie is NOT stored as a text file (I already said it is RSA encrypted), besides which storing the credentials is optional. Since the project was done to address an internal need, I also fully understand that it is more appealing as an internal solution than an external one so I'd be happy to release a compiled version that could be hosted on the client's own servers as seems to be the general suggestion? As I said, I was previously looking to see if anyone else had already developed such and application and only found similar questions, no answers...

For Lowell and Sean, if you do want to test the application further, I have set up a Guest login and a test database that you can use without fear of phishing! Just PM me and I will give you the info as I really do appreciate the constructive criticism. Otherwise, the encrypted site is now up if you want to take a look: esqlclient.azurewebsites.net
Steve Jones
Steve Jones
SSC Guru
SSC Guru (138K reputation)SSC Guru (138K reputation)SSC Guru (138K reputation)SSC Guru (138K reputation)SSC Guru (138K reputation)SSC Guru (138K reputation)SSC Guru (138K reputation)SSC Guru (138K reputation)

Group: Administrators
Points: 138913 Visits: 19406
octavuslimited (7/23/2013)
OK, I understand the concern about "phishing" but still believe it comes down to an issue of trust with the vendor. The application requires the same information that you would provide to access Azure SQL for example so obviously there is greater trust with Microsoft than an unknown vendor, I get that! Otherwise, it's not an issue specific to this application but to cloud/web services in general?



Not correct. For Azure, they have my credentials to what I host there. Not what I host elsewhere. You allowing anyone to connect to another server means that you are the man in the middle, with credentials to machines outside your service.

There certainly is greater trust with MS since they have more liability and I have more recourse with them. With you, I have no idea who you are, your assets, or your ability to make good any issues.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search