如何将Excel安全连接到sql server 2008?
[英]How do I connect Excel securely to sql server 2008?
问题描述
My company wants to have approximately 100 of their sales people (distributed around the country) to be able to run stored procedures from excel and return the data onto the spreadsheet. 
我的公司希望大约有100名销售人员(分布在全国各地)能够运行excel中的存储过程,并将数据返回到电子表格中。
We have sql server 2008. i need to figure out a safe way to do this. 我们有sql server2008。我需要找出一种安全的方法来做到这一点。
i will create a form in excel where the user can push a command button to refresh the data based on the parameters that they choose. 我将在excel中创建一个表单,用户可以在该表单中按下命令按钮以根据他们选择的参数刷新数据。
- how can i ensure that the connection from excel to the sql server is secure? 如何确保从excel到sql server的连接安全?
- how do i run a stored procedure from excel? 我如何从Excel运行存储过程?
i found this to be very good information: http://office.microsoft.com/en-us/excel-help/connect-to-import-sql-server-data-HA010217956.aspx 我发现这是非常好的信息: http : //office.microsoft.com/zh-cn/excel-help/connect-to-import-sql-server-data-HA010217956.aspx
Windows Authentication Select this option to use the Windows user name and password of the current user.
however, i would like your input on this. 但是,我希望您对此提供意见。
yes, the sales reps do have windows logins, but can i use this solution if they will actually be entering specifying the data criteria, then sending the criteria over into the stored procedure and then getting the data from the server? 是的,销售代表确实具有Windows登录名,但是如果他们实际要输入来指定数据标准,然后将这些标准发送到存储过程中,然后从服务器获取数据,我可以使用此解决方案吗?
2 个解决方案
解决方案1
3 已采纳 2012-01-27 19:19:07
Allowing users direct connections to your database is tricky. 允许用户直接连接到您的数据库很棘手。 First off, you expose yourself to attack from without, as user accounts are compromised more frequently than well-isolated admin and service accounts. 首先,由于用户帐户比妥善隔离的管理员和服务帐户更容易受到攻击,因此您容易受到来自外部的攻击。 Having said that, the user account does need to be compromised to allow an attacker into the system, and you have good granularity of control built into SQL Server if every user has their own credentials. 话虽这么说,确实需要妥协用户帐户以允许攻击者进入系统,并且如果每个用户都有自己的凭据,则SQL Server内置了良好的控制粒度。
Using the Excel-native interfaces isn't that different from doing it via VBA or VSTA, which is how most developers did it for the last decade or so. 使用Excel本机界面与通过VBA或VSTA进行操作没有什么不同,这是过去十年左右大多数开发人员的方式。 Those methods are about as secure as your network. 这些方法与您的网络一样安全。 I believe the Excel-native functionality works without extraneous references, as well, which is particularly nice for maintenance purposes. 我相信Excel原生功能也可以在没有多余引用的情况下使用,这对于维护目的特别有用。 The main difference seems to be in the ability to do arbitrary queries. 主要区别似乎在于执行任意查询的能力。 For security and data integrity purposes, this is probably for the best. 为了安全和数据完整性,这可能是最好的。
Running a stored procedure is probably not a good idea, as you can get into massive support requirements if your users start needing(wanting) tweaks frequently. 运行存储过程可能不是一个好主意,因为如果您的用户开始频繁地需要(调整)调整,则可能会遇到大量的支持需求。 Can you make do with a view? 你可以用一个视图来做吗? Excel's inbuilt filtering and sorting abilities are pretty powerful. Excel的内置过滤和排序功能非常强大。 That would be my first approach. 那将是我的第一个方法。
There are several approaches depending on your needs: 有几种方法取决于您的需求:
1 - modify your schema to allow the database to tie data to individual users 1-修改架构以允许数据库将数据绑定到各个用户
2 - move the access code into a VBA macro associated to the workbook. 2-将访问代码移动到与工作簿关联的VBA宏中。 This is not recommended, but it will allow you to use ADO directly. 不建议这样做,但是它将允许您直接使用ADO。 Be SURE you have a solid security configuration on the database side if you do this, as an attacker who gains access to a user's account will be able to do anything that user can do. 如果要这样做,请确保在数据库端具有可靠的安全配置,因为获得用户帐户访问权限的攻击者将能够执行用户可以执行的任何操作。
To go the VBA route, in the VBA environment Tools->References to find the latest Microsoft ADO version. 要使用VBA路由,请在VBA环境中的“工具”->“参考”中找到最新的Microsoft ADO版本。 The VBA code looks something like this: VBA代码如下所示:
Dim Connection as ADODB.Connection
Set Connection = new ADODB.Connection
Connection.Open"Provider=SQLNCLI;Server=myServerAddress;Database=myDataBase;Trusted_Connection=yes;"
Dim command As ADODB.command
command.CommandText = "exec sp_something"
Dim Parameters(2) As ADODB.Parameter
Set Parameters(1) = New ADODB.Parameter
Parameters(1).Name = "field_name"
Parameters(1).Type = adVarChar
Parameters(1).Size = 50
Set Parameters(2) = New ADODB.Parameter
Parameters(2).Name = "field_name_2"
Parameters(2).Type = adVarChar
Parameters(2).Size = 50
Dim i As Integer
For i = LBound(Parameters) To UBound(Parameters)
command.Parameters.Append Parameters(i)
Next i
Dim Records As ADODB.Recordset
Set Records = command.Execute
Tie that macro to your button, set up your values via the sheet or an input box, and fire away. 将宏绑定到您的按钮,通过工作表或输入框设置值,然后触发。 But I'll repeat my warning: Going this way leads to massive support requirements. 但是,我会再次警告我:这样做会导致大量的支持需求。 If people want to extract custom data, then they get very particular about it. 如果人们想提取自定义数据,那么他们会对此非常重视。
解决方案2
1 2012-01-27 21:40:11
Instead of the article you linked, I'd rather use VBA script with reference to the ADO library and a normal connection string with a technical SQL user. 与您链接的文章不同,我宁愿使用VBA脚本来引用ADO库,并使用与技术SQL用户的常规连接字符串。
Since the password would be in the connection string in this case, this technical user should have no other rights than executing your stored procedures. 由于在这种情况下密码将在连接字符串中,因此该技术用户除执行存储过程外没有其他权限。
Let me know if you need more details. 让我知道您是否需要更多详细信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.