Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
aiken
Aged Yak Warrior
525 Posts |
 Posted - 2004-02-21 : 17:46:01
|
| Ok, so I'm finally hunkering down to work with some of SQL server's much vaunted XML capabilities. And... it appears that SQL server can generate XML results, and can read XML files from the filesystem... but can't retrieve XML via HTTP?Is that really possible? I'm looking at either using sp_oacreate and WinHTTP, or writing a small vb app to pull a remote XML document down to the local filesystem once a minute, but I'm having a hard time believing that that's actually not available via SQL Server's native XML functions. Surely I'm just missing something?Anyone?Cheers-b |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2004-02-21 : 18:33:33
|
| No, you're not missing something. Opening SQL Server up directly to HTTP traffic is a significant security risk, and as you've pointed out there are other, safer ways to get the XML to SQL Server. It's one thing to push XML data out via HTTP, but something else entirely to accept it without validation or security checks first. |
 |
|
|
ehorn
Master Smack Fu Yak Hacker
1632 Posts |
Posted - 2004-02-21 : 19:22:32
|
| Aiken, Have a look at the following post. But realize that you are limited to small XML docs of 8000 chars or less using sp_oa methods.http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=30519Also, With regards to validation, Vaiyapuri Subramanian has written a component to perform validation in XML files.http://www.sqlteam.com/item.asp?ItemID=12653Rob, Could you please elaborate on the risks involved with using the method outlined in the link posted here, namely exposing Msxml2.ServerXMLHTTP.3.0 via sp_oa commands. I realize that this method is quite size limiting. But I am trying to better understand the security risks associated. |
|
|
|
aiken
Aged Yak Warrior
525 Posts |
Posted - 2004-02-21 : 19:27:28
|
Hmm... I'm not sure we're on the same page. I'm not talking about allowing arbitrary clients to connect to SQL server via HTTP -- something which I believe *is* actually supported -- but rather letting the SQL server make outbound HTTP requests to collect XML data as part of sp_xml_preparedocument. Seems like it defeats a lot of the purpose of SOAP, XML, et al, if SQL server will need middleware to talk to those data sources. Or at least it makes those things more complicated and (probably) less stable by virtue of involving another process. I have found a utility that hooks the filesystem and makes a remote HTTP document look like a local file, but obviously that's pretty scary to use on a SQL server. It's tempting, though, rather than adding a VB utility APP or using sp_oacreate 1000 times/day.Well, at least I'm not missing something  Thanks-b |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2004-02-24 : 05:05:04
|
| You may be able to do what you want with DTSsteveSteve no function beer well without |
|
|
|
|
|
|
|
|
Say it ain't so! XML via HTTP?