I am thinking to use Silverlight instead of WPF as Client and WCF as server. Does it make sence?
I guess I will have these advantages:
1) More portable because it's Web.
2) I don't need to validate an user input in both client and server applications.
The third advantage is my main question: I guess the user cannot see my code, so my application would be safe against hackers. Is this correct? This means that if I store a database connection string in Silverlight, no clients will see it, right?
Thanks.
Answer: 1
1) More portable because it's Web.
More portable : Yes, but limited to the SL reach.
2) I don't need to validate an user input in both client and server applications.
Validation: Always repeat client validation on the Server. Whatever you use on the Client, don't trust it.
I guess the user cannot see my code, so my application would be safe against hackers. Is this correct?
No, very much not so. Hackers can still inspect and disassemble your code.
This means that if I store a database connection string in Silverlight, no clients will see it, right?
No, per the above. But SilverLight has not much use for database connection strings anyway ...
SL does not have the ADO.NET libs afaik. Maybe that "SL Full Trust" can use them but I doubt it.
Answer: 2
The .xap file in which your Silverlight Application is packaged is only an archive that contains the DLLs of your application (rename it to .zip and see for yourself) so your code can still be decompiled by anyone who downloads the .xap.
As for your 2nd point, you should validate on the server. I could, for example, sniff the traffic and see that your application calls a WCF web service. From there I could make my own requests to your service without using your application. If you don't validate server-side bad things will happen.
Also, the "portability" of Silverlight is arguable, but yes I guess it is more portable than a .exe.
by : Vachehttp://stackoverflow.com/users/446515Answer: 3
The assembly can easily be extracted and decompiled also you never can know that a request comes from your application if it runs on the client so do not even think about skipping server validation.
by : H.B.http://stackoverflow.com/users/546730Answer: 4
1) More portable because it's Web.
Well you'd have to define what you meant by "web" here. It won't work (unless I've missed something) on iOS (using Safari), or Android devices, or probably some others. It's not "web" in the same way that, say, a pure HTML5 application is "web".
2) I don't need to validate an user input in both client and server applications.
That's only true if the server can "know" that the input really came from the client. If it's just a web request, it could be posted by anything. In my experience you should always validate on the server - client-side validation is there to make life easier for the user; server-side validation is to really enforce business rules.
The third advantage is my main question: I guess the user cannot see my code, so my application would be safe against hackers. Is this correct?
No. The code is running on the user's machine; it will have been downloaded, and can be decompiled like any other .NET assembly.
by : Jon Skeethttp://stackoverflow.com/users/22656
No comments:
Post a Comment
Send us your comment related to the topic mentioned on the blog