Subject | Re: [firebird-support] Avoiding hard-coding db pass in app - without using db users |
---|---|
Author | Steve Wiser |
Post date | 2008-11-10T13:46:54Z |
I don't understand why them having the source code of the login
procedure is dangerous? The code should be pretty generic and is
checking their inputted password versus some password that is stored
encrypted in a table, right? As long as they cannot change it you are
ok, right?
-steve
Zd wrote:
Specialized Business Software attempts to sweep harmful content (e.g. viruses) from e-mail and attachments, however we cannot guarantee their safety and can accept no liability for any resulting damage. The recipient is responsible to verify the safety of this message and any attachments before accepting them.
procedure is dangerous? The code should be pretty generic and is
checking their inputted password versus some password that is stored
encrypted in a table, right? As long as they cannot change it you are
ok, right?
-steve
Zd wrote:
>This message and any files transmitted with it may contain information that is privileged, confidential, and exempt from disclosure under applicable law. They are intended solely for the use of the intended recipient. If you are not the intended recipient, distributing, copying, disclosing, or reliance on the contents of this communication is strictly prohibited. If this has reached you in error, kindly destroy this message and notify the sender immediately. Thank you for your assistance.
> Dear Group,
>
> I asked this question a while back and now it turns out the answer I
> got might not be usable.
>
> Here is the situation:
>
> My application has to connect to the database through one universal
> user. Having multiple DB users for each user is not an option for now.
>
> I do not want to encode the DB password in my application in any way
> because a talented hacker can easily extract that, no matter what
> encryption I use.
> The solution suggested before was that the application should have a
> restricted user / pass combo encoded which should be used only to get
> the full password over a secure network. There should be a stored
> procedure which authenticates the user (using data from a separate
> users table) then returns the full DB password if the user/pass
> supplied is valid.
>
> But since you can't hide the procedure's code, I don't know how to go
> about this.
>
> Any ideas on how to make this strategy work, or any other ideas?
>
> Thanks,
> Zd
>
> [Non-text portions of this message have been removed]
>
>
Specialized Business Software attempts to sweep harmful content (e.g. viruses) from e-mail and attachments, however we cannot guarantee their safety and can accept no liability for any resulting damage. The recipient is responsible to verify the safety of this message and any attachments before accepting them.