Backend for SQL Server

Question

I have created an SQL Server and a Client (c#) that directly queries the server. The problem is that I feel this is not secure, because every client (say 5 different clients in total) now has the connection string and i believe this is a crucial vulnerability.

What is the best way to create a back-end for an SQL Server running on my machine. This SQL Server will have to be accessible over the internet from various clients. Is the best option some C# application running with some library to interpret calls from the client?

Answer 1

There are many possible solutions. Exposing the database server is always a security risk. As you're obviously running on a Windows server I'd use a WCF service to handle the communication between the clients and the database.

It is also be possible to implement REST services in C#, which allows you to communication via ports 80 or (preferably) 443. That, depending on the firewall configuration, may be a good idea anyway, as it is a standard port which in most cases will be open for outgoing communication from the client side and can be enabled on the server side.

Look at existing APIs (for example for online shops, etc) to see how they group resources. This will help you design better APIs yourself.

Answer 2

It will be never secure if you allow your clients to CRUD without login, it is also unsecure if you pass your connection string to your client, if it is not necessary.

The better practice to implement a more secure backend application is you wrap actions into API (let's say UpdateClientInfo()), all database accesses go into the APIs and only allow your client to make use of the API. In this case your connection string will not be transferred via internet.

When the existing APIs are not suitable for your clients, kindly ask them to pull a request and implement the request, instead of providing the connection string to them.

It is also necessary to require the clients to provide user + password when they would like to access to your service.