Virtual Directory Properties Dialog Box (Settings Tab)
Use the Settings tab to specify the type of Microsoft® SQL Server™ 2000 access you want to provide through the virtual directory.
Template and schema files can be stored in the directory (or one of its subdirectories, in which case the relative path must be specified in the URL) that is specified when a virtual name of template type or schema type is created.
By default, only template file queries are allowed. Optionally, the URL can also execute posted SQL/template queries, XPath queries, or POST queries.
Allow sql=... or template=... URL queries
Allows you to execute SQL/template queries that are posted to a URL (as sql= or template= parameters by using either the get or the post HTTP method). An XML template can include SQL queries, XPath queries, or XML updategrams. For security reasons, this option is recommended during development only and not for use in a production environment because it allows users to execute any queries against the virtual root and the database. Selecting this option makes the Allow posted updategrams option unavailable because you can always post XML templates with updategrams by using this option. The length of the URL queries (the text that appears after the question mark ? in the URL) is limited to 1 kilobyte.
Allow posted updategrams
Allows XML templates (with only XML updategrams) to be posted to a URL. This option restricts the XML templates that are posted to a URL to those that include only XML updategrams. Because the template cannot contain SQL/XPath queries, this option provides a certain level of security.
Allow template queries
Allows the execution of template files in the URL. A template is a valid XML document that consists of one or more SQL/XPath queries and updategrams. This option is enabled by default.
The Allow template queries option is useful if you have previously created virtual name(s) of the template type, but you want to temporarily disable permission to execute template files in the URL (and keep the previously created virtual name(s) of template type). By disabling this option, you can temporarily disable the execution of template files in the URL. Another way to avoid execution of templates in the URL is to not create a virtual name of template type. This prevents you from specifying a template file in the URL.
Allows the execution of XPath queries against XML schema files in the URL. Creating virtual name(s) of schema type can also control XPath/Schema queries.
The Allow XPath option is useful if you have previously created virtual name(s) of the schema type but want to temporarily disable permission to execute XPath queries in the URL (and keep the previously created virtual name(s) of schema type). By disabling this option, you can temporarily disable the execution of XPath queries in the URL. Another way to avoid execution of XPath queries in the URL is to not create a virtual name of schema type. This prevents you from specifying XPath queries in the URL.
Allows the post HTTP method. By default, the HTTP methods get and head are allowed and you are limited by the maximum size of the URL. To allow large queries (such as template=Specify XML Template) and parameters, use post. The Allow POST option must be selected if you create virtual names of soap type. Note that enabling this option allows POST requests to be sent to any virtual name that is defined in this virtual directory. Therefore, it is recommended that you create a separate virtual root specifically for SOAP and then enable this option.
Maximum size of POST queries (in kilobytes)
Specifies the maximum amount of data (in kilobytes) that can be posted to the server per HTTP request.
Run on the client
Specifies that the XML formatting is to be done on the client.
Expose runtime errors as HTTP error
Specifies that errors be returned as part of the HTTP header. If this option is selected, an HTTP error code (512 Runtime Error) is returned if any of the queries in the template fail. In this case, the error descriptions are included in the HTTP header.
If this option is not set (which is the default), the HTTP success code (200) is returned and the errors are returned as processing instructions inside the XML document.
Suppress error reporting
Specifies that SQLXML should not return detailed error messages, but instead return the generic error: "Errors encountered. Execution failed." In a production environment, this provides added security by hiding internal details.
Virtual Directory Security Issues