ODBC SQL security issues???
From: Mark Bixby <markb_at_spock.dis.cccd.edu>
Date: 19 May 1994 16:13:22 -0700
Message-ID: <2rgrqi$fvs_at_spock.dis.cccd.edu>
Date: 19 May 1994 16:13:22 -0700
Message-ID: <2rgrqi$fvs_at_spock.dis.cccd.edu>
We're developing a client-server, ODBC SQL suite of applications, and a number of security issues are troubling us:
- Embedding logon ID & password information in cleartext ODBC.INI files does not seem to be terribly secure. Do you use this method, or do you force the end-users to manually enter this info every time they connect to the database?
- If you're storing an encrypted password in your own specialized .ini file that you retrieve and decrypt prior to connecting to the database, are you worried that the password might be revealed by ODBC driver tracing programs or LAN sniffers?
- You've created database logon IDs & passwords, and you've granted read/write access to the tables each user needs to access via the application. But what do you do about Joe or Jane Poweruser who goes down to their neighborhood software store and buys an ODBC-compliant SQL query/update tool, and they go and modify tables in harmful ways not permitted by the applications themselves?
Feel free to comment on any additional issues not listed above.
Thanks!
-- Mark Bixby Internet: markb_at_cccd.edu Coast Community College District 1370 Adams Avenue District Information Services Costa Mesa, CA, USA 92626 Technical Support (714) 432-5064 "You can tune a file system, but you can't tune a fish." - tunefs(1M)Received on Fri May 20 1994 - 01:13:22 CEST