And how do you secure the password to the database?
Same way business does it in the internet: Ebay, Yahoo, Google, Amazon, Banks, Government, Academy, etc., and me too.
all those business do not share the database with their users it is kept in their offices and provide only controlled access to it, any employee with appropriate rights can easily use those passwords to scum any customer.
how do you protect a password for a database that it is shared to all your customers and it is required to connect and access that database. the database does not contain any user name password data and it is single user database.
I am not familiar with businesses that use a single-user database that uses no passwords nor user names, and yet is used by various employees. .
Sound like an improper practice, to me. So, I don't know how they protect that, sorry.
Databases that I developed for large corporations all had user name, and each user a password.
You are puting words in my mouth sorry re read my previous post. Think of it this way
DB1 :user name = xxx; password = yyyyy
this should be unique per client?
each client should provide its own password?
the point is that this database is protected from direct access from the client and must be accessed only through my application.
It is a single user database ee no multiple user access only 1 user at a time.
Please provide specific methods to protect that database with out saving the UN and password of the db in application.
Please keep in mind that this database must be decrypted before accessing any data in it including any application user or passwords
Hi Taazz,
I am not intending to put words in anyone's mouth. I answered on my own, I believe.
You have:
Think of it this way
DB1 :user name = xxx; password = yyyyy
this should be unique per client?
each client should provide its own password?I can not speak for others, but I have already stated about databases for business I have done, that each user has his own name and password. Of course, "his" is meant to imply "unique".
Also, this:
the point is that this database is protected from direct access from the client and must be accessed only through my application.
It is a single user database ee no multiple user access only 1 user at a time. I believe that I also stated that I do not do for businesses database that are single-user, accessible only through a specific application, and that I would not know how those who do would protect that setup, which I also said, I belive is an improper practice (to allow a single user control of business data, in this case). There may be cases, though, that I have not seen, not attended to, though.
...............................
As to this:
Please provide specific methods to protect that database with out saving the UN and password of the db in application.
Please keep in mind that this database must be decrypted before accessing any data in it including any application user or passwordsDatabases that are centralized, intended for business or critical use, have their mechanisms for storing name and user passwords, and ALSO control user's priviledges (access righte) both on the individual or group basis. Applications for access NEVER have the password in the code. Earlier in the thread, I have also stated that paswords are gathered by the application by prompt, or by filling UserName and Password boxes. This gathering of UserName and password are sent immediately to the database (which is a database server) and has is itself THE APPLICATION that provides or denies access. If the client application is written, say in Lazarus, a Try block would be a natural way to do the gathering and sending of the UserName and password, and the Finally clause would delete the password from the variable. It should be clear that the application NEVER stores UserName nor his/her password.
Besides, it would be an oxymoron, because since those applications are meant to be used by multiple users, it would imply to store every user and every password in the application, and each new user would require a recompiling of the application. Therefore, it is not even considered. I've never even heard of that being a possibility. But that's me. I have not been everywhere, of course.
I hope this is sufficient detail, as you request.
.......................................
And this also:
Please keep in mind that this database must be decrypted before accessing any data in it including any application user or passwordsI have not yet used databases that encrypt the data, but all that I have done, and know about and consider robust, do encrypt the passwords in their system tables. The security of the system tables, as well as the database itself (with all its data, of course) belongs to the system administrator, or to the database administrator. That level of security, of course, does not belong to any client application.
Encryption of user data, should be realized, is complex to implement, since one first question would be: would data be encrypted at the individual end-user level (the ideal), or at a global level (not much needed if the system is well taken care of, as said, by reliable personnel, using well established policy). And, now, if the database is centralized, it should also be realized that precisely it is centralized TO SHARE data allowed, via reports, and ad-hoc SQL query, making that pretty much if no impossible, very very difficult. Therefore, at high monetary cost, perhaps some databases use encryption of data. Cost, let's not forget, would include support.
.........................
I repeat, again, that I would never intend to put words on anyone's mouth, nor mean to antagonize on this issue. These practices I mention, are not mine to defend, actually. They are well established business practices that I have myself found to be the correct ones.
If the argument be that nothing is guaranteed absolutely secure or safe, I agree.
But using driving a vehicle as a comparison, I still advocate that driving follow established safety practices.