Re: ODBC SQL security issues???
Date: 24 May 1994 17:16:27 GMT
Message-ID: <2rtcpb$7a1_at_zebedee.ingres.co.uk>
Mark Bixby (markb_at_spock.dis.cccd.edu) wrote:
: We're developing a client-server, ODBC SQL suite of applications, and a number
: of security issues are troubling us:
: 1) Embedding logon ID & password information in cleartext ODBC.INI files does
: not seem to be terribly secure. Do you use this method, or do you force the
: end-users to manually enter this info every time they connect to the database?
You don't do this at all. The login information is held in your netu entry. The UID/PASSWORD fields are not used if you specify them, rather ingres takes this information from the entries you use for your other user interfaces eg isql.
:3) You've created database logon IDs & passwords, and you've granted read/write
:access to the tables each user needs to access via the application. But what
:do you do about Joe or Jane Poweruser who goes down to their neighborhood
:software store and buys an ODBC-compliant SQL query/update tool, and they go
:and modify tables in harmful ways not permitted by the applications
:themselves?
This is unfortunately one of the discomforts of open systems. However all is not lost. ODBC does not yet allow you to take advantage of Roles/Groups. So... By only granting permission on your tables to users who connect as a certain group, you can dissallow anyone access via ODBC.
You could allow access to your tables by directly accessing these through a DLL. This does the connection as a certain group/role and does specific actions you require. This is no longer 'open'/ODBC but then 'open' system are supposed to make life easier for everyone and unfortunately for more people than you want.
Jon
-
Jon Machtynger (800 different beers a good enough excuse to move here??)
jonm_at_ingres.com
ASK Group nv _/_/ _/_/_/ _/ _/ Excelsiorlaan 25 _/ _/ _/ _/ _/ Brussels B-1930 Zaventem _/_/_/ _/_/_/ _/_/_/ Belgium Tel: (2)716.32.11 _/ _/ _/ _/ _/ Fax: (2)725.46.50 _/ _/ _/_/_/ _/ _/Received on Tue May 24 1994 - 19:16:27 CEST