Passing LINQ thru the wire . .a bad idea

I was in .NET training this week.  It was taught by DevelopMentor and as usual the training was really good.  It’s my second class with them and they have really knowledgeable instructors.

An interesting question was brought up when we were learning about LINQ.  A few students were really disappointed in the fact that you weren’t able to pass LINQ thru across the wire to the webserver, to have the ORM setup and run the query for you.  Sounds like a decent idea, the client constructs the LINQ and allows the server to run it, returning an object back.  You have one generic function on the server that runs your LINQ.

Now the reasoning behind it not able to pass to the web server was that they said that LINQ and the lambda expression was not serializable.  I didn’t follow up on the actual reason, but to me to have the a client construct the LINQ and run it is a bad idea.  The reason, security.

Letting the client generate LINQ and run it on the server is really no different than allowing a client direct calls into the database, except for the ORM.  In an ideal world your database is protected with a firewall ,with access only to other servers inside the firewall.  If you allow your web server to run any LINQ from the client, it exposes your database to any CRUD transactions that the (malicious) client creates.  Why even use a three-tier architecture in that case.  The webserver gives you a level of abstraction from the database so you expose only the operations that you trust.  I know it’s a pain to write multiple Get* contracts, but it’s a better alternative to give clients access to your DB.  Any thoughts?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: