| Subject | RE: [firebird-support] How would Firebird prevent users thrasing database |
|---|---|
| Author | Martin Dew |
| Post date | 2004-04-05T07:37:42Z |
I may be overlooking something obvious here, but if you alter the
password for SYSDBA to something only you know then no-one else can
connect to the database via any management tools as the connection needs
the password and username to be valid.
Regards
Martin
-----Original Message-----
From: Johan van Zyl [mailto:johan@...]
Sent: 05 April 2004 08:27
To: firebird-support@yahoogroups.com
Subject: [firebird-support] How would Firebird prevent users thrasing
database
From clarion newsgroup
HI Arnor,
You bring up a good point that has been a big long-time complaint of
mine with regards to SQL. I recall five years ago or so investigating a
variety of SQL's and discovering that there was no real protection from
stopping the end-user from gaining access to the SQL db using any widely
available SQL db manager tool.
I am finally caving in and accepting the reality of needing to use SQL
for my upcoming projects.
But I am wondering... Has the above scenario changed much with all the
popular brand SQL's in use today?
Not being overly familiar with all the SQL flavors, is there a general
technique that all SQL vendors conform to that allows dev's to truly
lockout end-users from gaining read/write access to an SQL db?
I assume that most SQL db's allow some form of encryption with a special
password on it when you first create the db. Is this correct? Or are
the SQL db passwords a simple smoke-screen that any average Joe Blow can
get past anyway?
I'm curious what the status of complete SQL lockout from prying eyes is
with MS-SQL, Sybase, Pervasive, etc. I am fairly sure that Firebird
offers nothing in this area yet.:(
I've always loved TPS files because of its low familiarity by the
general public. This has always protected me from the very thing you
suggested would occur if end-users could gain access to a db.
Later,
Doug
Arnor,
As Glenn suggests, this is the type of security I am interested in
knowing about.
Obviously, if they are accessing my developed application, then they
will need read/write access while the app is in use.
However, my SQL security fears have always been that an end-user who is
no longer on support, hires some wannabe developer to adjust the db in a
certain way. That wannabe developer can easily identify my app using
XYZ SQL and then could easily connect to the db using external manager
tools or his/her own development tools. I want to AVOID THIS.
I recall in the past that there was nothing that could be done about
this with most SQL backends.
Glenn suggests (at least with MS SQL) that a technique does exist to
address my concerns.
Later,
Doug
JVZ Systems CC Customised Software - When it
needs to fit like a glove
Johan van Zyl
Owner JVZ Systems CC
PO Box 3469
Somerset West
7129
johan@... http://www.jvz.co.za tel:
fax:
mobile: +27 21 851 7205
+27 21 852 2387
082 875 4238
Signature powered by Plaxo Want a signature like this?
Add me to your address book...
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.648 / Virus Database: 415 - Release Date: 2004-03-31
[Non-text portions of this message have been removed]
Yahoo! Groups Links
password for SYSDBA to something only you know then no-one else can
connect to the database via any management tools as the connection needs
the password and username to be valid.
Regards
Martin
-----Original Message-----
From: Johan van Zyl [mailto:johan@...]
Sent: 05 April 2004 08:27
To: firebird-support@yahoogroups.com
Subject: [firebird-support] How would Firebird prevent users thrasing
database
From clarion newsgroup
HI Arnor,
You bring up a good point that has been a big long-time complaint of
mine with regards to SQL. I recall five years ago or so investigating a
variety of SQL's and discovering that there was no real protection from
stopping the end-user from gaining access to the SQL db using any widely
available SQL db manager tool.
I am finally caving in and accepting the reality of needing to use SQL
for my upcoming projects.
But I am wondering... Has the above scenario changed much with all the
popular brand SQL's in use today?
Not being overly familiar with all the SQL flavors, is there a general
technique that all SQL vendors conform to that allows dev's to truly
lockout end-users from gaining read/write access to an SQL db?
I assume that most SQL db's allow some form of encryption with a special
password on it when you first create the db. Is this correct? Or are
the SQL db passwords a simple smoke-screen that any average Joe Blow can
get past anyway?
I'm curious what the status of complete SQL lockout from prying eyes is
with MS-SQL, Sybase, Pervasive, etc. I am fairly sure that Firebird
offers nothing in this area yet.:(
I've always loved TPS files because of its low familiarity by the
general public. This has always protected me from the very thing you
suggested would occur if end-users could gain access to a db.
Later,
Doug
Arnor,
As Glenn suggests, this is the type of security I am interested in
knowing about.
Obviously, if they are accessing my developed application, then they
will need read/write access while the app is in use.
However, my SQL security fears have always been that an end-user who is
no longer on support, hires some wannabe developer to adjust the db in a
certain way. That wannabe developer can easily identify my app using
XYZ SQL and then could easily connect to the db using external manager
tools or his/her own development tools. I want to AVOID THIS.
I recall in the past that there was nothing that could be done about
this with most SQL backends.
Glenn suggests (at least with MS SQL) that a technique does exist to
address my concerns.
Later,
Doug
JVZ Systems CC Customised Software - When it
needs to fit like a glove
Johan van Zyl
Owner JVZ Systems CC
PO Box 3469
Somerset West
7129
johan@... http://www.jvz.co.za tel:
fax:
mobile: +27 21 851 7205
+27 21 852 2387
082 875 4238
Signature powered by Plaxo Want a signature like this?
Add me to your address book...
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.648 / Virus Database: 415 - Release Date: 2004-03-31
[Non-text portions of this message have been removed]
Yahoo! Groups Links