Subject Database and application security
Author Christhonie Geldenhuys
Hi all,

I am a novice if it comes to implementing database security, so I want to

Is it a bad idea to use a generic user to log into the database, storing the
password within the application? I was planning to have my own user table
and perform authentication on the client side, hashing the password entered
(with MD5) and compare it to the hashed string in the table.

The alternative (I guess) would be to use individual database user accounts,
but I want the users to be able to change their own passwords, but how do
you do that? I am under the impression you need to be logged in as SYSDBA
to accomplish this. Also, I want to keep track of failed login attempts
with a lockout count and lockout time. I would typically use the
TIBSecurityService component under Delphi to add and modify user accounts to
isc4.gdb. I don't want to hard-code the SYSDBA password in my application,
so what can I do?

The IB documentation does not give enough information on how to accomplish
this. Help would be appreciated!