Remote database good practice

Question

we are creating a WinForms .NET4 app with MS SQL Server and we are deciding between two scenarios:

1) WinForms application directly connects to the MS SQL Server.

2) Use 3-layer architecture and insert a WebServices in between.

Questions:

1) Is it a good practice to open SQL connection publicly to the "world"?

2) Which scenario would you recommend. App is data oriented, quite simple and not planning any other client, only the WinForms one.

Thanks in advance.

James

Answer 1

Definitely go with the option having a web services layer. This allows you:

• to continue using your domain model (POCO and serialization).
• to avoid opening your SQL Server to the internet.
• to apply advanced business logic in your web services.
• to remove SQL logic from your client application; all the data access belongs on the app tier.
• to apply security rules/constraints as you need. Block a customer/user or IP address for various reasons.

Answer 2

When you say "quite simple and not planning any other client", i would take that with a grain of salt, apps always grow and morph as people realise what they can do and what else they can include. You need to rephrase that as "it is initially going to be a small simple app".

WebServices may be overkill for you at this point in time, but if you follow a nice n-tier architecture they will be very simple to add at a later date, with minimal refactoring.

As for exposing SQL to the world - no this is NOT a good practice. You can secure it very well, and ensure the logins that are used by the app (or users if they have their own logins) have minimal rights - just enough to run the stored procedures or execute the CRUD statements on the tables they need access to. But if you mess up the security while it is exposed to the world then kiss your SQL Server and its data goodbye. This is a complex subject in itself, so you are better to post individual questions when you have them.