473,320 Members | 1,947 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Access to the DB

Dear all,

I am writing an app that would run natively on some client machines that should connect to a database as a single DB user and later pretend to be moreusers (there's nothing new in this approach, I think). Now my problem is the following. Authentication is password based, that means that the app hasto know it but Joe User must not (otherwise he could do arbitrary things with the DB). DB passwords change over time and I think recompiling the app every time the password changes is just silly.

So: how to store the DB access password so that Joe User doesn't see it butthe admin can update it when it is necessary? Should I have an app on the server that the client would connect to or how?

I am using stored procedures for everything but selects (in fact - imitating object oriented programming on the PgSQL server), but I am not quite sureI could prevent anyone from using "delete" on a table who would use a stored function for that. How could I force people to use my stored functions for insert, update and delete operations instead of insert, update, delete commands in the DB?

Thanks in advance

Zoltan

Nov 23 '05 #1
1 1031
> So: how to store the DB access password so that Joe User doesn't see it but=
the admin can update it when it is necessary? Should I have an app on the =
server that the client would connect to or how?


This is probably overkill for your app (and may be for mine as well), but
here's how I addressed this situation.

First a little background:

I have been developing a program which is a table-driven web browser-based
table query/update program designed for users rather than DBA's. (It
allows the user to query/insert/update/delete data but not to change
the data structure.)

It was written in PHP with postgres in mind but also works with mysql
and should work with any relational database that can be connected to
via PHP/Pear.

Because it is designed to work in a client-server environment, it has its
own user/password scheme.

The userid/password controls what applications the user can launch and
which database it connects to as well as what userid it is on that database,
and thus what data access privileges the user has.

The password itself is stored using a one-way encryption, but the connect
string is stored using the password as an encryption key using the pgcrypto
package. That way it cannot be easily decrypted.

Here's my 'user' table description. (There are a few other fields whose
purpose I haven't referred to in this note.)

Column | Type | Modifiers
--------------------+-----------------------+-----------
pb_user_name | character varying(20) |
pb_user_pw_timeout | integer |
pb_user_connect | bytea |
pb_user_pass | text |
pb_user_perm | text |
pb_user_comment | text |

The tables that drive the app, including the user file, are in a separate
database, with a connect string supplying a userid/password for read-ony
access to that database. (That connect string can be kept in a hidden file
in the web directory or in the psql/lib directory.)

I hope to release this program into the open-source community either
later this year or in 2005, I don't think there's anything quite like
it out there. It is currently in use at a client's office, and I use
it myself to manage several personal databases. I already have a
potential alpha tester in mind.

There are some hooks for native postgres-ism's like arrays that may have
to be worked around in the next rewrite before I can release it, and of
course any database-specific features could only be used in the entries
for an app which accesses that database platform. Also, the password
concept may need to be reworked to make it compatible with the
encrypt/decrypt capabilities of other database engines.

I hope this gives you some ideas.
--
Mike Nolan

---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend

Nov 23 '05 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

63
by: Jerome | last post by:
Hi, I'm a bit confused ... when would I rather write an database application using MS Access and Visual Basic and when (and why) would I rather write it using Visual Studio .Net? Is it as easy...
13
by: bill | last post by:
I am trying to convince a client that dotNet is preferable to an Access project (ADP/ADE). This client currently has a large, pure Access MDB solution with 30+ users, which needs to be upgraded....
1
by: Dave | last post by:
Hello NG, Regarding access-declarations and member using-declarations as used to change the access level of an inherited base member... Two things need to be considered when determining an...
13
by: Simon Bailey | last post by:
I am a newcomer to databases and am not sure which DBMS to use. I have a very simplified knowledge of databases overall. I would very much appreciate a (simplifed) message explaining the advantages...
0
by: Frederick Noronha \(FN\) | last post by:
---------- Forwarded message ---------- Solutions to Everyday User Interface and Programming Problems O'Reilly Releases "Access Cookbook, Second Edition" Sebastopol, CA--Neither reference book...
20
by: Olav.NET | last post by:
I am a .NET/C++ developer who is supposed to do some work with Access. I do not know much about it except for the DB part. Questions: *1* I am looking for INTENSIVE books to get quickly up to...
64
by: John | last post by:
Hi What future does access have after the release of vs 2005/sql 2005? MS doesn't seem to have done anything major with access lately and presumably hoping that everyone migrates to vs/sql. ...
1
by: com | last post by:
Extreme Web Reports 2005 - Soft30.com The wizard scans the specified MS Access database and records information such as report names, parameters and subqueries. ......
17
by: Mell via AccessMonster.com | last post by:
Is there a way to find out where an application was created from? i.e. - work or home i.e. - if application sits on a (work) server/network, the IT people know the application is sitting...
37
by: jasmith | last post by:
How will Access fair in a year? Two years? .... The new version of Access seems to service non programmers as a wizard interface to quickly create databases via a fancy wizard. Furthermore, why...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.