| Subject | How would Firebird prevent users thrasing database |
|---|---|
| Author | Johan van Zyl |
| Post date | 2004-04-05T07:26:46Z |
From clarion newsgroup
HI Arnor,
You bring up a good point that has been a big long-time complaint of mine
with regards to SQL. I recall five years ago or so investigating a variety
of SQL's and discovering that there was no real protection from stopping the
end-user from gaining access to the SQL db using any widely available SQL db
manager tool.
I am finally caving in and accepting the reality of needing to use SQL for
my upcoming projects.
But I am wondering... Has the above scenario changed much with all the
popular brand SQL's in use today?
Not being overly familiar with all the SQL flavors, is there a general
technique that all SQL vendors conform to that allows dev's to truly lockout
end-users from gaining read/write access to an SQL db?
I assume that most SQL db's allow some form of encryption with a special
password on it when you first create the db. Is this correct? Or are the
SQL db passwords a simple smoke-screen that any average Joe Blow can get
past anyway?
I'm curious what the status of complete SQL lockout from prying eyes is with
MS-SQL, Sybase, Pervasive, etc. I am fairly sure that Firebird offers
nothing in this area yet.:(
I've always loved TPS files because of its low familiarity by the general
public. This has always protected me from the very thing you suggested
would occur if end-users could gain access to a db.
Later,
Doug
Arnor,
As Glenn suggests, this is the type of security I am interested in knowing
about.
Obviously, if they are accessing my developed application, then they will
need read/write access while the app is in use.
However, my SQL security fears have always been that an end-user who is no
longer on support, hires some wannabe developer to adjust the db in a
certain way. That wannabe developer can easily identify my app using XYZ
SQL and then could easily connect to the db using external manager tools or
his/her own development tools. I want to AVOID THIS.
I recall in the past that there was nothing that could be done about this
with most SQL backends.
Glenn suggests (at least with MS SQL) that a technique does exist to address
my concerns.
Later,
Doug
JVZ Systems CC Customised Software - When it needs
to fit like a glove
Johan van Zyl
Owner JVZ Systems CC
PO Box 3469
Somerset West
7129
johan@... http://www.jvz.co.za tel:
fax:
mobile: +27 21 851 7205
+27 21 852 2387
082 875 4238
Signature powered by Plaxo Want a signature like this?
Add me to your address book...
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.648 / Virus Database: 415 - Release Date: 2004-03-31
[Non-text portions of this message have been removed]
HI Arnor,
You bring up a good point that has been a big long-time complaint of mine
with regards to SQL. I recall five years ago or so investigating a variety
of SQL's and discovering that there was no real protection from stopping the
end-user from gaining access to the SQL db using any widely available SQL db
manager tool.
I am finally caving in and accepting the reality of needing to use SQL for
my upcoming projects.
But I am wondering... Has the above scenario changed much with all the
popular brand SQL's in use today?
Not being overly familiar with all the SQL flavors, is there a general
technique that all SQL vendors conform to that allows dev's to truly lockout
end-users from gaining read/write access to an SQL db?
I assume that most SQL db's allow some form of encryption with a special
password on it when you first create the db. Is this correct? Or are the
SQL db passwords a simple smoke-screen that any average Joe Blow can get
past anyway?
I'm curious what the status of complete SQL lockout from prying eyes is with
MS-SQL, Sybase, Pervasive, etc. I am fairly sure that Firebird offers
nothing in this area yet.:(
I've always loved TPS files because of its low familiarity by the general
public. This has always protected me from the very thing you suggested
would occur if end-users could gain access to a db.
Later,
Doug
Arnor,
As Glenn suggests, this is the type of security I am interested in knowing
about.
Obviously, if they are accessing my developed application, then they will
need read/write access while the app is in use.
However, my SQL security fears have always been that an end-user who is no
longer on support, hires some wannabe developer to adjust the db in a
certain way. That wannabe developer can easily identify my app using XYZ
SQL and then could easily connect to the db using external manager tools or
his/her own development tools. I want to AVOID THIS.
I recall in the past that there was nothing that could be done about this
with most SQL backends.
Glenn suggests (at least with MS SQL) that a technique does exist to address
my concerns.
Later,
Doug
JVZ Systems CC Customised Software - When it needs
to fit like a glove
Johan van Zyl
Owner JVZ Systems CC
PO Box 3469
Somerset West
7129
johan@... http://www.jvz.co.za tel:
fax:
mobile: +27 21 851 7205
+27 21 852 2387
082 875 4238
Signature powered by Plaxo Want a signature like this?
Add me to your address book...
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.648 / Virus Database: 415 - Release Date: 2004-03-31
[Non-text portions of this message have been removed]