--- In firebird-support@yahoogroups.com, "Zd" <toldy007@...> wrote:

>
> Dear Group,
>
> Please help me with the following security considerations:
>
> My program connects to an FB2.1 DB running on XP. Many different

users are going to use my client program to connect to the database.

>
> Unfortunately, my program doesn't use "users" in the FB DB, instead

it uses the SYSDBA password to connect to the database. Each user has
a login/pass pair stored in the database in a table that is used for
authentication inside my program.

>
> Here are my problems:
> 1, I can't redesign the program since it has a sofisticated built-in

rights management mechanism, so I have to stay with the solution
outlined above.

That makes no sense. Of course you can create a new database user and
grant full rights to every object. Hard coding a sysdba connection
from a client you have no control over is a bad idea.

> 2, Clients will be connecting through LAN and through the Internet -

so the database will be exposed on the Internet.

> 3, The program will be running at different companies.

Have you done any performance metrics? Your model sounds very
client-server to me, and you may find such a model is not fast enough
anyway. If you put in a 3 tier model, then you can control what goes
between application server and database engine. You can then add to
your arsenal of user/password authentication value IP authentication etc.


Adam