> ----- Original Message -----
> From: "Alexandre Benson Smith" <iblist@...>
>> The problem with encryption is that you have to store the key on some
>> place (inside the aplication ?) not a so secure approach either.
>>
>> Another point is.. you will have problems to do inequality search with
>> encrypted data.
>>
>> There is no easy way to protect the data when one has physical access to
>> the database file.
>
> I understand that now, but what is the "proper" way to grant an application
> access to the database? At the moment I have the default sysdba password
> hardcoded in my app, but if the user changes their sysdba password, which
> most people with Firebird really should for security, then they cannot
> access my application.

Pretty simple, don't use SYSDBA as owner for deployment!!!
http://blog.upscene.com:8080/thomas/index.php?entry=entry080730-233217

> Is the "proper" way to grant an application access to the database to use
> the sysdba user, or is it to create a new user in the Firebird security
> database (and if so can you do that the first time the application is run
> when a person installs the application)?

Create your own application user which is the owner of the database and
the owner of tables, views, stored procedures.

You can create a new user with gsec or the services api, but here, you
need again SYSDBA, so it's some kind of chicken/egg problem. ;-)



--
Best Regards,
Thomas Steinmaurer
LogManager Series - Logging/Auditing Suites supporting
InterBase, Firebird, Advantage Database, MS SQL Server and
NexusDB V2
Upscene Productions
http://www.upscene.com
My blog:
http://blog.upscene.com/thomas/