| title | Annotated Schema Security Considerations (SQLXML 4.0) | Microsoft Docs | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ms.custom | ||||||||||
| ms.date | 03/17/2017 | |||||||||
| ms.prod | sql-server-2016 | |||||||||
| ms.reviewer | ||||||||||
| ms.suite | ||||||||||
| ms.technology |
|
|||||||||
| ms.tgt_pltfrm | ||||||||||
| ms.topic | reference | |||||||||
| helpviewer_keywords |
|
|||||||||
| ms.assetid | 7d7e44dc-b6d3-4e0f-95c7-8f99930c94f2 | |||||||||
| caps.latest.revision | 22 | |||||||||
| author | douglaslMS | |||||||||
| ms.author | douglasl | |||||||||
| manager | jhubbard |
The following are security guidelines for using annotated schemas:
-
Avoid using default mapping in the mapping schemas. The default mapping exposes the database information (table and column names) in the resulting XML document because, by default, the element names map to table names and attribute names map to column names. Therefore, any user who sees the XML document has access to the table and column information in the database, presenting a potential security risk. To avoid this risk, specify arbitrary element and attribute names in the schema and use annotations to explicitly map them to the tables and columns. For more information about using default mapping when you create XSD schemas, see Default Mapping of XSD Elements and Attributes to Tables and Columns (SQLXML 4.0).
-
The explicit mapping specified using the annotations exposes the database information (such as table names and column names). Therefore, you may not want to make these schemas available publicly.
-
Certain queries such as those specified against mapping schema with recursion (specified using max-depth annotation set to a higher value) may take longer to execute. You can optionally specify a time-out limit by setting the Command Time Out property (in seconds). For example:
cn.Open "Provider=SQLOLEDB;Server=localhost;Database=tempdb;Integrated Security=SSPI;Command Properties='Command Time Out=50';"