Typically when creating a simple tool or something that has to use a database, I go through the fairly long process of first creating a webservice that connects to a database then creating methods on this webservice that do all the type of queries I need.. methods like
List<Users> GetUsers()
{
...
}
User GetUserByID(int id)
{
...
}
//More Get/Update/Add/Delete methods
Is it terrible design to simply make the webservice as secure as I can (not quite sure the way to do something like this yet) and just make a couple methods like this
SqlDataReader RunQuery(string sql)
{
...
}
void RunNonQuery(string sql)
{
...
}
I would sorta be like exposing my database to the internet I suppose, which sounds bad but I'm not sure.
I just feel like I waste so much time running everything through this webservice, there has to be a quicker yet safe way that doesn't involve my application connecting directly to the database (the application can't connect directly to database because the database isn't open to any connections but localhost, and where the appliction resides the standard sql ports are blocked anyway)
Especially when I just need to run a few simple queries
Best Answer
It is terrible design and you know it. You're leaving yourself at mercy of anyone with even a slight malevolent intent. Apart from being vulnerable to regular sql injection, you expose an entire webservice to throw sql at, bypassing even the need to inject it. Doing such a thing with your private database is simply unwise, doing it with a client's production database could also potentially open you to legal consequences if contents are leaked.
Use an ORM if you don't use one already, it might give you the time savings you're looking for.