ok, sorry: I missed the procedure parameters
my apologies

Thierry

Kjell Rilbe a écrit :

>
> Teträm Corp wrote:
>
> > and when your hacker has the SECUSER password, do you think he will stop
> > there thinking "what a mess, a limited account!!!" and not try something
> > like EXECUTE PROCEDURE (or select from procedure if you want) ???
> > and so retreive the SYSDBALIKE password (and now the login)...
> >
> > I continue, if hardcoding the SECUSER password seems enough, why not
> > SYSDBALIKE one ? or, if you prefer, if hardcondig SYSDBALIKE password is
> > not enough how could it be secure for SECUSER one which permit to get
> > SYSDBALIKE one ?
>
> Thierry,
>
> The hacker can execute as much as he likes, but he won't get the
> password back unless he provides a valid username/password combo as input.
>
> Sure, he can brute-force his way in, but I think such attacks can be
> prevented by other means, like e.g. blocking client IP:s that fail too
> many times in a row.
>
> Kjell
> --
> --------------------------------------
> Kjell Rilbe
> DataDIA AB
> E-post: kjell@... <mailto:kjell%40datadia.se>
> Telefon: 08-761 06 55
> Mobil: 0733-44 24 64
>
>