>
>
> I'm not web programmer and don't know technique they use, but if I
> need high security, I place database where users have'nt file access,
> make DCOM application server placed in such directory too and work
> with database via 3-tier. Users don't know where database is, don't
> know it's name and don't know even own password on SQL server -
> appserver perform connects to database, thin client connects to
> appserver using application password. Last can be placed in database
> and retrived by appserver via additional connection.
>
>
> Community email addresses:
> Post message: IBDI@yahoogroups.com
> Subscribe: IBDI-subscribe@yahoogroups.com
> Unsubscribe: IBDI-unsubscribe@yahoogroups.com
> List owner: IBDI-owner@yahoogroups.com
>
> Shortcut URL to this page:
> http://www.yahoogroups.com/community/IBDI
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

We agree. I ausggested as one form of security that the user retreive data via
an html page and a cgi program which is not available to the user
directly. This would lock users/intruders out of the dbms. Your
alternative is more elaborate but should work equally as well,
maybe better.

However this begs the question of what to do on a machine where
users need some sort of direct SQL access. In this more difficult
situation I suggested locking up the utilities like isql and
using a program modelled after "apfull" but with security features built
in.

Perhaps the folks who are working with the Open Source version of
Interbase will take this security issue as a priority item.

John Culleton