Data Access


The ADO.NET SQL Server data provider supports partial trust callers . The other data providers including the OLE DB, Oracle, and ODBC providers currently require full trust callers .

If you connect to SQL Server using the SQL Server data provider, your data access code requires the SqlClientPermission . You can use SqlClientPermission to restrict the allowable range of name /value pairs that can be used on a connection string passed to the SqlConnection object. In the following code, the CheckProductStockLevel method has been enhanced with an additional security check to ensure that blank passwords cannot be used in the connection string. If the code retrieves a connection string with a blank password, a SecurityException is thrown.

 [SqlClientPermissionAttribute(SecurityAction.PermitOnly,                                AllowBlankPassword=false)] public static int CheckProductStockLevel(string productCode) {   // Retrieve the connection string from the registry   string connectionString = GetConnectionString();   . . . } 

For more information about how to sandbox data access code to allow the OLE DB and other data providers to be used from partial trust Web applications, see Chapter 9, "Using Code Access Security with ASP.NET."




Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net