I am a big fan of Firebird DB, I am using it since 1.5.0 version, but I am curious why FB is not that much popular as web sites back-end DB. I would like to use embedded Firebird DB on my websites (after 2.5 version improvements), advantages are obvious (no need to install anything, all dll-s you can put in your web site bin folder and FDB in App_Data – I am using asp.net technology).
My question is: does anybody has some experiences with this approach (Medium Trust shared hosting), and what limitation I might expect? How many concurrent users can be acceptable in such scenario, are there some known issues I need to be aware of and so? Is lack of security mechanism in embedded that big disadvantage for this approach?
Thanks in advance.
First off, I do not have any experience with Firebird. When googling though, I do see reports of problems using it in medium trust. But if you want to know for sure, just try! It might well be that the information I'm reading is old.
Concurrent users is a difficult question to be fairly honest. I suppose it (how many) depends on too many factors to give a good answer. But the most important thing you want to look at is concurrent writing. For example SQL Lite does not support this (afaik), and in a web application this is bound to happen. I think FB supports this, but you might want to check this to be sure.
About security; as far as I know FB does not support encryption nor password protection. This is a valid concern you express, if anyone compromises your server the FB file is there for grabbing. Methods to work around this are not pretty (encrypting before insert/update and decrypting at retrieval, or filesystem encryption), so if security is important this will be your biggest concern.
I'd like to state again that I do not have experience with FB myself, I just express the concerns I would have myself when thinking of such a scenario and try to get some information on the internet.
Related
I'm the custodian of a pretty sophisticated, yet antiquated, ASP.NET application. It is essentially a platform that makes creating database applications easier - with tools to read in database schemas, auto generate forms, reports, charts, and provide extremely extensive tools to manipulate those things within the UI. There are some pretty big clients using the platform for some niche applications, and despite the age of much of the code (some of it written as early as 2001), everything runs pretty well.
The company is doing well enough that i need to start considering a new version, and rather than plastering on some new features, i'd like to consider a fresh start. The current solution is a ridiculous 150 projects - down from about 220 when i first started working on this full time.
Does anyone have any tips or suggestions for the general structure of an enterprise(ish) level application? What new technologies should i consider? Maybe some particular books or websites i should review?
I've got a good handle on all of the specifics that make our platform so flexible - but because i've been locked into the general structure of our code for so long, i feel like i'm way out of touch with how the entire thing needs to be structured on a large scale. The current application still has a bunch of .NET Remoting for communication with the databases (just a tad out of date), and a ton of incredibly inefficient code written by someone who wasn't really a programmer.
WCF to serve info from the data access layer? WIF to authenticate? I'd really like to be able to assemble an API that my business partners can use to connect to the data and use a huge collection of common functions i've got set up - ideally that API could run in a web context or in some other environment.
I know this is a pretty big question that could have a lot of possible answers - just looking for some thoughts on where to really spend our research time.
Thanks!
-RP
If you want to rid yourself of all the authentication / authorization hassles, absolutely go for claims-based applications, WIF, ADFS etc.
That's the Microsoft direction - CMS, SP. Office 365. Windows Azure AD etc. are all now claims-based.
Only problem is that ADFS authenticates against AD. Have a look at Identity Server for something DB related.
Plus ADFS via ACS provides Facebook, Google etc. logons.
I'm making an asp.net web application which will run locally on IIS
for a single user
I don't want this user to access my application files (in the www root ) or bring another programmer and steal my code
I just want the user to have the ability to access the website only and
stop any programmer from knowing my source code
I heard about an USB security system called "Dongle" but can it be used in a situation like this ?
any Ideas ?
thanks in advance
The website is just running code, but like anything, once the user has it they can do what they like to it, whether you like it or not. That's why there is a multi-million {currency} industry around securing applications.
You could use dongles but they're expensive and not trivial to implement. As #volleyball said, obfuscation would slow down most people from decompiling your app. without odfucation any licensing or dongles could just be patched out of your code.
Your most secure route would be to not give it to them. It's a web app, host it. This may not of course not meet your requirements.
Simon
I have never heard of a web application that uses a dongle. This is normally reserved for regular windows apps; and even then it's falling out of vogue. Generally speaking some of the more expensive software packages still use them.
However, the cost of duplicating a dongle is pretty low. Combined with the fact that getting around such security is relatively easy anyway and you have a situation in which you really shouldn't bother.
As Simon said, if it's a web app host it. Otherwise obfuscate it.
If neither of those are possible, then I'd recommend you change your licensing deal with your client to include the possibility of them going elsewhere. Perhaps for an additional charge you'll give them a non-exclusive site license permitting them to do whatever they want with the code short of selling it or giving it to another entity.
did you look at obfuscators. They do a good job at encrypting code. 99% of the time your code cannot be reverse engineered. But if someone sits on your stolen code they can reverse engineer.. In the sense that ordinary people may not obfuscate it. If the person is very intellingent, he will not reverse engineer he will write better code.
I've seen several questions on SO about this, but none of them quite fit what i'm looking for. I've got an ASP.NET Site on my machine that i recently finished, but i'm a little worried about Security. I'm pretty sure I've managed it pretty well, but there's always an offchance i've missed something.
So, I'm looking for a tool that meets the following reqs
Scans a locally hosted (as in, on the same machine as the tool) website for vulnerabilities
Can be installed (i.e, no web based stuff)
(elaborating on #1)... tests ASP.NET (Web Forms, but MVC would be nice too) for SQL or XSS problems. (I figure XSS is hard to test, but SQL injection should be easier to find)
Thanks! Lemme know if i'm not specific enough or if this is better suited for Webmasters SE.
There are a few scanning tools around, some of which are open source, which is nice. The exploits you are talking about are technology agnostic - any app could suffer from them regardless of whether it's .net, java, ruby, etc. This makes testing for them slightly easier. Also, SQL injection and XSS bugs are usually application specific, which makes automagically testing for them harder.
The best thing you can do is not be worried about security, but take specific steps to address issues. Security should always be designed into your application. So carry out a code review on your app. Look for specific things.
Do you have any in-line SQL? Do you modify it any way? Are you using parameters?
Are you escaping any user input before you use it?
The above 2 steps will eliminate most SQL injection/XSS bugs. There are other issues to do with your server setup. Vulnerability scanning tools usually know most of these and can test for them.
We have an ASP.NET app with SQL Server & it is a photo & video sharing site.
Details of photos and videos are stored in tables & the files are in the file system.
Database has 75 tables and 225 stored procedures. The app will be ready for production deployment within next 6 months.
Due to longer time growth concerns, we decided to switch to NoSQL (MongoDB) database.
We have few questions regarding the best way to approach this:
Is it better to deploy the app with SQL Server backend and migrate to NoSQL later?
OR re-architecture now and rewrite/recreate database, tables, procedures and data layer
How difficult will it be re-architecture/recode with MongoDB? Any tools or BKMs?
EDIT:
Our app is Youtube+Flickr type site where user will share photos and videos with lots of comments, tags and ratings (photo\video & comments).
Is NoSQL a better database to move to? Reason for moving: cost + read query speed
Please help me with you valuable advise.
Thank you very much.
Change is always exponentially more expensive the later it is introduced to a project. This is a core principle of software engineering. You should do this now.
That said, I question your long-term vision. Relational databases, used properly, have a lot of performance in them.
This question raises more questions than answers.
Have you benchmarked your current implementation in terms of requests/responses?
Why MongoDB out of all possible NoSQL databases? (Don't get me wrong, I love Mongo, but love and hype should not weigh in technology choices)
Are you certain you will get the large userbase you're expecting? Why are you so certain?
Using stored procs seems to tip off that you aren't using an ORM? Why not?
Generally, I'm against these types of re-architectures. Firstly, you need to get your whole team acclimated to how Mongo affects development. Secondly, your ops team needs to get acclimated to how to deploy and maintain a Mongo installation. More likely than not, this will prevent you from launching in a timeline you want to launch.
I'd say that you should probably launch as is, fix the ORM part if you aren't using one, benchmark your app, benchmark a prototype of your app backed by Mongo and if the performance advantages are so big that it warrants the pain of re-architecture do it.
To your latter question, there aren't any tools right now, as far as I can tell, that'll automate or semi-automate the database import/export from SQL Server to Mongo. There are barely tools to do that for MySQL.
I've done such a migration a few month ago, during the early developement stage of a website in ASP.NET. It was a hard decision, but I could concentrate on that migration. The reason why I did this migration was the ORM that I couldn't trust anymore and some very slow queries that I had no idea how to optimize.
During coding phase, what I figured out was : I was spending a lot of time with the data model in SQL Server (using Entity) and all the plumbery code.
Now, no more store procedures (C# and Linq code instead), no more 2 layers to maintain (the code is the model).
My small experience says : The earlier the better but don't get me wrong, before migrating you really have to think in Document rather than in RDBMS. This means you may have to partially change the businness DataModel to correctly utilize MongoDB features, otherwise you could get bad performances and Mongo DB is useless for bad models.
Another point is the admin stuff. You'll have to quickly learn Mongo DB admin to be up to speed. And even if the tools are good, they completely differ from SQL Server tools.
In conclusion, If you're convinced MongoDB is your future data store and search database,
(and it was in my case), read documentation, take time to do some Proof Of Concept. Then you can think Document and load test you new model.
Your core question appears to be whether to make the switch to MongoDB now, or deploy on SQL and go to MongoDB in a future release.
You do not appear to be using an ORM (e.g. NHibernate, Entity Framework.) Setting other concerns aside, if you're convinced that you want to go to NoSQL, then I would do it now rather than later. Unless you integrate a Provider model for your data access, changing the underlying data access strategy after it is already established would be difficult.
I agree. Switching now is better, if only to avoid the data migration headache switching post-deployment will require.
The current application is a kind of CRM application built upon MS Access. The application is for internal use. My job is to migrate it to ASP.NET web-based application. Now boss requires to keep Access as database and develop ASP.NET code against it.
My question is, is there any disadvantages of using Access as database in ASP.NET application? (e.g. optimistic concurrency issue?) Should I persuade boss to upgrade Access to MS-SQL?
Many thanks!
We've used Access as a backend for web sites with good success. It's cheap, can be used effectively by moderately skilled programmers, and you can store the MDB on a document server so it gets backed up.
Most IT people dislike Access, but from a business perspective, Access can be very valuable.
MS Access is notoriously unstable in multiuser environments. A WEB app is by definition heavily multi-user.
So IMHO leaving MS Access as underlying DB is a call for trouble. At least use SQL Express (it is free)
The problem you are going to face in upgrading from Access to MS-SQL is that there is a major cost investment for the application. If your company already has the infrastructure in place(licensing, hardware...) then you won't have such a hard fight to pursuade your boss.
As for a technical answer:
I'd say you need to let you boss know that access databases aren't ideal for concurrent usage which a web application suggests is the intended goal of the application. My view is that Access is for database information that a SMALL set of users will be simply using for small data entry and querying. NEVER use Access to build an enterprise-level solution.
If you are planning to upgrade a Microsoft Access database to SQL Server 2008, use the SQL Server Migration Assistant (SSMA) rather than the upsizing wizard built into MS
10+ tips for upsizing an Access database to SQL ServerAccess.
Your boss probably likes to do ad-hoc stuff with access / excel. If you move the DB to SQL Server Express you can use Access and it's linked table feature to let your boss keep doing his ad-hoc needs through Access while keeping the data in SQL Server Express. If you keep the linked tables named the same as the old physical ones all his reports and queries will should keep working.
I'm an Access promoter, but not for use on websites because Jet/ACE is not threadsafe (though Michael Kaplan once said that is is threadsafe if you access it via ADO/OLEDB; I don't quite understand how a database abstraction layer can wash away a characteristic of the underlying database engine it's calling, but if MichKa said, it's 99% likely to be true).
Now, the exceptions would be if you're using it for prototyping something that will use a different database, or if it's read-only, or is read-write but will only ever have a very small number of users.
Michael Kaplan's website, trigeminal.com, used to use a Jet database as the back end (it may still -- I don't know that MichKa ever changed it), and when that was his main website he reported getting 100K hits a day. But it's a read-only site, so fits my restrictions.
There are so many different alternatives and they are mostly easy to use that I just don't see the point of trying to use Jet/ACE as back end for a website. I'd never do it myself (all the websites I'm responsible for use MySQL).
Simply put, go with MSSQL. Express edition is free, and will give you everything you need to migrate away from Access. These articles are talking about Access applications specifically, but the same issues will plague you.
http://resources.zdnet.co.uk/articles/features/0,1000002000,39285074,00.htm
https://web.archive.org/web/1/http://techrepublic%2ecom%2ecom/5208-6230-0.html?forumID=102&threadID=205509&messageID=2136367