0

I have a windows form solution which I have to implement to WPF browser application. All the code does is it queries an sql server based on a parameter given in a textbox.

string conString= @"Data Source = SQLserver; Initial Catalog = database; Integrated Security=SSPI;";
using (SqlConnection c = new SqlConnection(conString))
{
    c.Open();
    using (SqlDataAdapter a = new SqlDataAdapter(
    @"SELECT * from datatable where col1 = '" + textBox1.Text + @"' 
      Order By col2;", c))
    {
        // fill a data table
        a.Fill(source);
    }
}

This sql server accepts only integrated windows authentication. So to work I simply runas the winform exe under the required user account.

How can I somehow run that WPF under the same account? Please note that it needs to be hosted on a web server and has to be available for many users.

fishmong3r
  • 1,414
  • 4
  • 24
  • 51
  • "web based WPF" - there is no such thing. Please clarify. – Dai Jun 23 '15 at 21:21
  • sorry, WPF browser application – fishmong3r Jun 23 '15 at 21:21
  • Is it run under a LAN environment or over the public Internet? If it's over the Internet then you shouldn't connect directly to the database server for a large number of reasons. – Dai Jun 23 '15 at 21:23
  • It's a corporate intranet. – fishmong3r Jun 23 '15 at 21:23
  • Do you have DBA access to the database server to create a SQL Server Login based on Active Directory group membership? You'll need to restrict permissions to prevent anyone from directly executing malicious SQL commands. – Dai Jun 23 '15 at 21:26
  • There is only one speciified windows account has access to the db. This is why I need this connection to be initiated in the "name" of this account. Like runas. – fishmong3r Jun 23 '15 at 21:27
  • That's not something you can do, sorry. You'll need to use classic SQL Authentication rather than Windows Authentication or modify your application to use an intermediary Web Service rather than connecting directly. – Dai Jun 23 '15 at 21:30
  • So you say it is possible via winform but not wpf? – fishmong3r Jun 23 '15 at 21:32
  • No, the scenario is exactly the same with WinForms too (if you were using WinForms hosted in a browser). This question really doesn't have anything to do with WPF. – Dai Jun 23 '15 at 21:33
  • Also, FWIW, in-browser WPF is on the way out (and not supported by Microsoft Edge). I strongly suggest you re-architecture your application accordingly. – Dai Jun 23 '15 at 21:45
  • ` @"SELECT * from datatable where col1 = '" + textBox1.Text + @"' Order By col2;", c)` ... what if i put "' OR 1;DROP TABLE database; --"` in textbox1? – Jimmy Chandra Jun 23 '15 at 22:02
  • @JimmyChandra I appreciate your warning, though this is only a sample code. I always use parameterized queries. If you have any idea about the real question here please share it with me. – fishmong3r Jun 23 '15 at 22:15
  • You probably need to find out the account that is used (on your web server) and give that account permission to access the database...Integrated Auth will work nicely... – SKG Jun 23 '15 at 22:30
  • So I understand what you are asking, let me paraphrase... "You want to run the app using a *certain* user credential and not whoever is currently logged in on the machine?" If so, the right question should be "How can I *impersonate* a certain user when querying Sql Server from WPF browser application?". Look up user impersonation in C# or something like that. For example: https://msdn.microsoft.com/en-us/library/w070t6ka%28v=vs.110%29.aspx?f=255&MSPPError=-2147217396 – Jimmy Chandra Jun 24 '15 at 00:28

0 Answers0