[...]

> What I'm assuming is that the hacker trying to attack the database
> has the client application's code, but doesn't have a valid
> username/password combination for the server.

Who should the client normally authentificate against the db-server
without a password? You must either store ist somewhere on the client
side as plain text or encrypted with the key inside your app or let it
be a secret of the user = personal username and password, stored in
fb's security db.

The only other solution I could imagine would be to have account
without password and grant access to your login proc to public.
But not with SYSDBA!

And than everybody with valid username/password can authenitificate
against your db...

[...]

> I'll save the SYSDBA password in the database in an encrypted form.
> With the solution I outlined below, I suppose the only chance for an
> "insider" to get full access to the database remotely is by
> disassembling the code of my client application - which is not very
> likely to happen by an everyday user.

But every skilled fb guy or girl can exchange security db and then
login!

You also have to eliminate physical access to the server.
And if physical access to the server is not possible any more, than
you could use firebirds own user db.

Björn

--
Björn Reimer - RRZE