tags:

views:

116

answers:

4
+1  Q: 

How do I implement Internet accessible system with Delphi?

Hello

I am about to start working on a new system which will need to support multiple users and potentially allow the database to be accessed over the Internet.

The system will be win32, not web based, the database will just be in an office and accessible anywhere. I am not sure if this is a dangerous approach security wise, am open to suggestions

The database will be SQL Server and the system will be implemented in Delphi 6

Does anyone know how I go about starting this? I will need to take into account record locking as well.

If anyone could provide links to good articles that would be appreciated.

Cheers

Paul

+1  A: 

You probably mean a client server system that communicates trough TCP/IP.

You can create this using the Indy components. Be sure to check the examples because they are not easy to use, but you can create almost anything network related with them.

Gamecat  2010-10-29 08:20:59
No need for adding such a Delphi-only layer in such an architecture. A VPN will do it just fine.
A.Bouchez  2010-10-29 08:48:49
Actually, I have an SQL Server database connected directly at home and a client application at work that just uses ADO to connect straight to this database without the need of any TCP/IP component. ADO has this support build-in. So Indy? Don't use it, unless you want to retrieve other stuff from the server too...
Workshop Alex  2010-10-29 10:23:39
I would like to keep things as simple as possible. Am still torn between implementing a client server type or to allow the client to write straight to the database
Paul  2010-10-29 11:22:58
Any database library has "built-in support" to connect to a database, usually with "built-in" support for TCP/IP :) ADO by itself uses whatever the underlying database driver supports to connect to a database.
ldsandon  2010-10-29 12:47:05
+5  A: 

IMHO, the easiest way for you is to create a VPN exposing securely your database over Internet.

Security will be very good, because access to the database will be available only through a trusted VPN connection.

And your database will be available from anywhere, using the Internet just as a tunnel to transport your database packets safely.

So your Delphi code will connect to the database just as usual, using TCP/IP connection, via the VPN secure tunnel.

No need to add additional Delphi-only artifacts, like Indy components and such. And you will be able to connect to your database for not-Delphi client, which could be a good idea to use some database browsing tool.

A.Bouchez  2010-10-29 08:48:01
+2  A: 

Exposing the database on the Internet is a security risk. Security flaws could be easily exploitable remotely.

Solutions are:

  1. VPN, as said in other answers. Simple and secure, but requires some setup on both end-ponts (clients and VPN server), and may require proper software on the server - or a VPN router/appliance - and on the client as well if you're not using standard VPN protocols).
  2. A n-tier application, where only the application server is exposed to the internet. You still have to protect the application server properly and the transmission channel. May require less setup on the client side. Delphi 6 offers Datasnap as a n-tier library (it also still supports CORBA, but it was dropped since D7). DCOM is not very firewall friendly (but can be configured to work across them) but can secure the channel on its own, the other two options (socket and HTTP) are easier to setup but a little less secure (they work using DCOM proxies, thereby the client identity is lost, and require custom code or certificates to secure the channel).
  3. A third solution could be to let user connect remotely via remote desktop, but it requires licenses and a machine able to sustain the remote sessions load.

Record locking is handled by the database itself - read the documentation about SQL Server locking mode carefully to avoid bad surprises later. If the connection is not fast enough you may choose to cache some data on the client side (TClientDataset works well for that) and it can also reduce locking issues, but it can introduce udpate conflicts.

ldsandon  2010-10-29 10:13:24
I will research option 1 I think
Paul  2010-10-29 11:24:26
To setup a VPN you need a "VPN server". It could be a PC with the right software installed (Windows Server comes with it, several available for Linux), or a router/appliance that can work as such. Don't install the VPN server on the same machine where the database is, or you get very little more security. User machines needs to be configured using a VPN client, or use a VPN gateway at their remote location. There are some protocols available, the more recent ones like L2TP are usually better, and be careful to choose the proper authentication methods, VPNs are secure when properly configured
ldsandon  2010-10-29 12:58:46
+1  A: 

Actually, there are dozens of techniques possible, depending on your experiences, preferences and tools that you have available. I would advise you to use ADO to connect to the database and not the BDE, though. To do this, you can use the ADO components that are part of Delphi or import the msado15.dll type library into your project to use raw ADO API calls. The latter will require a lot more experience!
SQL Server is able to just expose itself to the Internet, although this creates a security risk. Still, someone who wants to access it will need a username and password to get a connection and you would need to open the ports that SQL Server uses. But technically speaking, to use ADO over the Internet, all you need to know is the IP address of a working server, plus login information. It's a security risk, though. And for that reason, most developers will not expose SQL Server to a database but just write web services to wrap around the specific database functions that you want to expose.
Record locking is something SQL Server will do for you, and if you use transactions you can make it even a bit more secure.

In the end, the things you need to learn and read about depend heavily on the things you want to do in your application. So before you even start to write some code, start writing a functional design to get an overview of what you want and what you would need for this. From this document, start writing technical documents to describe more precisely what your code needs to do. Once you have this, you can ask more direct questions about the things you need, yet don't know at the moment.

Workshop Alex  2010-10-29 10:21:51
Thanks I have access to Delphi 6 with all the ADO components which I can use directly or via the type libraries
Paul  2010-10-29 11:20:21
I will go to the user and see if a VPN is an option
Paul  2010-10-29 11:20:43
Putting a database directly on the Internet is a very high security risk. The SQL Slammer worm showed what could happen to put SQL Server directly on the Internet. Databases have often known users and password that if not properly disabled or configured are a big risks, or secondary services that could exploited as well (as that exploited by Slammer).Transactions have nothing to do about security, they are all about data consistency.
ldsandon  2010-10-29 12:43:49
Transactions will make your code a bit more secure when an update to multiple records fails. It would allow the complete update to be rolled back, instead of hanging in a partial update limbo.
Workshop Alex  2010-10-29 13:13:07
And yes, connecting SQL Server directly to the Internet is a security risk. Technically, so is anything else you connect to the Internet! In this case, we're talking about SQL Server, which doesn't have any default user accounts in general.
Workshop Alex  2010-10-29 13:15:06
"Security" <> "integrity". If a multiple updates fails the risk is to lose data integrity, not data security. Words semantics matters here. Everything on the Internet is a risk, but some applications are riskier than others. Database are usually designed to be connected, not to stop them. Not all supports encrypted connections out of the box. If a vulnerability exists, there's no more protection layers before the data. Best practices exist, and data servers needs to be protected (usually, there may be cases when it doesn't matter)
ldsandon  2010-10-29 17:20:55

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?