| Subject | Re: [firebird-support] Guys! I got it! - Re: Avoiding hard-coding db pass in app - without using db users |
|---|---|
| Author | Kjell Rilbe |
| Post date | 2008-11-11T19:54:41Z |
Milan Babuskov wrote:
to provide a valid username/password combo to the login proc, because
the myspecialsysdba password is only returned after such successful
execution.
Zd's assumtions was:
1. Hackers only have access to the client application, not in an already
logged in state.
2. Users are not hackers.
With these assumtions (which can of course be questioned) I can't see a
problem.
Kjell
--
--------------------------------------
Kjell Rilbe
DataDIA AB
E-post: kjell@...
Telefon: 08-761 06 55
Mobil: 0733-44 24 64
>Doesn't matter. :->
> Zd wrote:
> > Firebird doesn't provide secure connections, instead I'm thinking of
> using a third party tool like ZeBeDee to create a secure tunnel
>
> Won't work. The localhost connection between fbclient.dll and zebedee on
> client side is not encrypted. Only the part between zbd server and
> client is.
> Also, if hacker has access to client machine, there are much biggerThe only way this is useful to a ahcker is if he has already been able
> problems. He can, for example, freeze your application with something
> like SoftICE[1] and read the SYSDBA password from it's memory space.
to provide a valid username/password combo to the login proc, because
the myspecialsysdba password is only returned after such successful
execution.
Zd's assumtions was:
1. Hackers only have access to the client application, not in an already
logged in state.
2. Users are not hackers.
With these assumtions (which can of course be questioned) I can't see a
problem.
Kjell
--
--------------------------------------
Kjell Rilbe
DataDIA AB
E-post: kjell@...
Telefon: 08-761 06 55
Mobil: 0733-44 24 64