.net 2.0 DataList security

Being a classic .asp programmer I'm very fond of the idea of using the drag
and drop DataList control that's in asp.net 2005. This sounds like it will
totally save me a ton of work and time in not having to recreate the wheel
as I find myself recoding the same basic data access controls/forms in
classic .asp for all of my user requests. The data that we have is
sensitive data and I've installed the Certificate Service on our IIS 5.0 web
server which should be encrypting the whole communication from our web
server to our database SQL Server 2000 server (which is on a different
machine). In using this https/ssl method I've been storing the connection
string in a connection string .asp file and have individual SQL logins for
each user that accesses the data to our SQL Server database.

I guess I'm not too clear on the back end things with this DataList control
since there's no script file being created with all of the statements. Is
using this DataList control secure in that SQL injection won't be possible?
Is it ok to use this control where all of the hidden backend SQL commands is
secure and that it won't be necessary in having to create and write
parameterized stored procedures as the known good programming practice?
Also, in continuation with my above paragraph I notice that in configuring
the SQLDataSource for the DataList control it appears that there will always
only be one so called "generic" login (whether it's Windows Authentication
or SQL Authentication being chosen in the Configure Data Source) as the
connection to our SQL Server in that we need to track all individual user
activity to the database. I had created an automatic profiler trace stored
procedure which has been extremely helpful for the past few years in doing
the 'heavy lifting' of documenting all user activity and operation on the
database. So is there a way to modify the connection setting to allow any
individual with valid SQL login credentials to connect to our SQL Server?
Will the current https/ssl set up that I have for my classic .asp
applications be ok to implement the same way in creating asp.net 2005
applications in that the connection string will be stored as a SQL
authentication string in one of the asp.net 2005 project files since the
whole communication layer is being encrypted?

John


.

Relevant Pages

  • Re: Using SQl to store aspx pages and memory problems
    ... I don't believe that SQL is my problem - the time it takes to do the remote ... of the fundamental differances between asp and asp.net. ... > time which is probably longer than any HTTP request. ... In a sense you are using SQL Server as a web ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Windows authentication to sql server 2000 question
    ... creating an .asp db app using windows authentication to sql server in that ... other .asp pages that call to the db? ... should I have an immediate database connection to the sql server ...
    (microsoft.public.sqlserver.security)
  • Re: Issue with retrieving large data over web using Stored Procedu
    ... You don't use it to run the stored procedure. ... In other words, start sql profiler, create a new trace and start it, open ... your browser and navigate to the asp page that is giving you the problem. ... while I execute the sp at the SQL Server 2005. ...
    (microsoft.public.inetserver.asp.db)
  • Re: Issue with retrieving large data over web using Stored Procedu
    ... In other words, start sql profiler, create a new trace and start it, open ... your browser and navigate to the asp page that is giving you the problem. ... I did not know there was SQL Profiler at SQL 2005. ... while I execute the sp at the SQL Server 2005. ...
    (microsoft.public.inetserver.asp.db)
  • Re: Unable to Apply SP4 to SQL 2000 Cluster (new Node)
    ... Rebuild the node in the failover cluster. ... Scenario 1" in SQL Server 2000 Books Online. ... This setup process updates to SP4 only the binaries on the new ...
    (microsoft.public.sqlserver.clustering)