Accessing MSSQL using a web browser

  • I have seen various posts showing interest in being able to perform simple queries and execute storedprocs on MSSQL using a web browser. I had a similar interest so I developed a web app to do it. The beta is here: http://esqlclient.azurewebsites.net

    I'd be interested to know whether people think this is useful and what issues (licensing, security, traffic etc.) there might be. I only tested it on MSSQL 2012 but it may work for earlier versions that are exposed to the internet. It also works for Azure SQL.

    The beta will be taken down in a few days so feel free to use it until then and let me know what you think. It should be fairly obvious how to connect but let me know if not. Once connected, you can perform T-SQL and execute SPs according to the permissions set by your DBA.

  • octavuslimited (7/19/2013)


    I'd be interested to know whether people think this is useful and what issues (licensing, security, traffic etc.) there might be.

    The only issue I have is typing my server name, user name and password into some random website.

    The SQL Guy @ blogspot[/url]

    @SeanPearceSQL

    About Me[/url]

  • Hi Sean, you make a good point (though I do detect a little sarcasm in your tone perhaps?!). Actually, the server, user and password are all encrypted (RSA 1024bit) and the returned data will be encrypted with SSL which takes care of the www in general and none of that information is stored by the application (saved credentials are stored as local cookie). After that, yes, it's a question of do you trust the host, which is the same risk with any purveyor of web-based services?

  • octavuslimited (7/22/2013)


    Hi Sean, you make a good point (though I do detect a little sarcasm in your tone perhaps?!). Actually, the server, user and password are all encrypted (RSA 1024bit) and the returned data will be encrypted with SSL which takes care of the www in general and none of that information is stored by the application (saved credentials are stored as local cookie). After that, yes, it's a question of do you trust the host, which is the same risk with any purveyor of web-based services?

    Please tell me you encrypt the contents of that cookie and not store it in plain text in the cookie.

    _______________________________________________________________

    Need help? Help us help you.

    Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

    Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.

    Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
    Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
    Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
    Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/

  • There are serious security questions here. You seem to think that encrypting the communications is enough. I'm not sure you've done that correctly, as the form you send needs to be completely encrypted with SSL, including all elements (images), or there are potential attack vectors.

    As Sean alluded, storing credentials in a cookie, which is an attack vector, is a problem.

    However, the bigger problem is you don't seem to think that the fact you're asking people to post security credentials to a form, that goes to your server. You are essentially phishing for people's servers, IPs, user names, and passwords. The user has no verification that you aren't storing this information.

    My vote would be no, this isn't useful as a service. As a project I could set up for myself, see the code, and connect to my own servers, perhaps.

  • octavuslimited (7/19/2013)


    I have seen various posts showing interest in being able to perform simple queries and execute storedprocs on MSSQL using a web browser. I had a similar interest so I developed a web app to do it. The beta is here: http://esqlclient.azurewebsites.net

    I'd be interested to know whether people think this is useful and what issues (licensing, security, traffic etc.) there might be. I only tested it on MSSQL 2012 but it may work for earlier versions that are exposed to the internet. It also works for Azure SQL.

    The beta will be taken down in a few days so feel free to use it until then and let me know what you think. It should be fairly obvious how to connect but let me know if not. Once connected, you can perform T-SQL and execute SPs according to the permissions set by your DBA.

    I think this is an awesome project! If you wouldn't mind, could you give me the username and password to that web server so I can check out your source code? Thanks in advance!

  • my concerns mirror steve's;

    If this was a suite of web pages i dropped into a virtual folder on my own IIS server, yeah it would probably be a good idea.

    If your example pointed to YOUR server, where i could test drive the interface, that would make me go farther than the in initial page.

    I know i've built my own "PanicPage" on my web servers so that if the application goes down, i should, in theory, be able to connect to my sql server, which is not exposed to direct connections, and only from the web server itself.

    so that's where i'd see a value with this; say i corrupted my main web site, and couldn't access it, or the code/css got so doinked i couldn't click buttons or something in the main layout.

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • Sean Pearce (7/22/2013)


    octavuslimited (7/19/2013)


    I'd be interested to know whether people think this is useful and what issues (licensing, security, traffic etc.) there might be.

    The only issue I have is typing my server name, user name and password into some random website.

    It's not sarcasm, it's a genuine concern of phishing. There is no way I would enter this information into a form on someone else's website.

    The SQL Guy @ blogspot[/url]

    @SeanPearceSQL

    About Me[/url]

  • OK, I understand the concern about "phishing" but still believe it comes down to an issue of trust with the vendor. The application requires the same information that you would provide to access Azure SQL for example so obviously there is greater trust with Microsoft than an unknown vendor, I get that! Otherwise, it's not an issue specific to this application but to cloud/web services in general? Any time you put your data, application, whatever, on someone else's server (Microsoft, Google, Facebook, etc.) they have access to the content, no matter what encryption protects your data from everyone else since they know your credentials? Is it enough that you know the legal entity you are dealing with and they have a Privacy Policy?

    That said, obviously the site IS protected with SSL and the cookie is NOT stored as a text file (I already said it is RSA encrypted), besides which storing the credentials is optional. Since the project was done to address an internal need, I also fully understand that it is more appealing as an internal solution than an external one so I'd be happy to release a compiled version that could be hosted on the client's own servers as seems to be the general suggestion? As I said, I was previously looking to see if anyone else had already developed such and application and only found similar questions, no answers...

    For Lowell and Sean, if you do want to test the application further, I have set up a Guest login and a test database that you can use without fear of phishing! Just PM me and I will give you the info as I really do appreciate the constructive criticism. Otherwise, the encrypted site is now up if you want to take a look: esqlclient.azurewebsites.net

  • octavuslimited (7/23/2013)


    OK, I understand the concern about "phishing" but still believe it comes down to an issue of trust with the vendor. The application requires the same information that you would provide to access Azure SQL for example so obviously there is greater trust with Microsoft than an unknown vendor, I get that! Otherwise, it's not an issue specific to this application but to cloud/web services in general?

    Not correct. For Azure, they have my credentials to what I host there. Not what I host elsewhere. You allowing anyone to connect to another server means that you are the man in the middle, with credentials to machines outside your service.

    There certainly is greater trust with MS since they have more liability and I have more recourse with them. With you, I have no idea who you are, your assets, or your ability to make good any issues.

Viewing 10 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply