Re: ODBC SQL security issues???

Mark Bixby (markb_at_spock.dis.cccd.edu) wrote:
: We're developing a client-server, ODBC SQL suite of applications, and a number
: of security issues are troubling us:
 

: 1) Embedding logon ID & password information in cleartext ODBC.INI files does
: not seem to be terribly secure. Do you use this method, or do you force the
: end-users to manually enter this info every time they connect to the database?

You don't do this at all. The login information is held in your netu entry. The UID/PASSWORD fields are not used if you specify them, rather ingres takes this information from the entries you use for your other user interfaces eg isql.

:3) You've created database logon IDs & passwords, and you've granted read/write
:access to the tables each user needs to access via the application. But what
:do you do about Joe or Jane Poweruser who goes down to their neighborhood
:software store and buys an ODBC-compliant SQL query/update tool, and they go
:and modify tables in harmful ways not permitted by the applications
:themselves?

This is unfortunately one of the discomforts of open systems. However all is not lost. ODBC does not yet allow you to take advantage of Roles/Groups. So... By only granting permission on your tables to users who connect as a certain group, you can dissallow anyone access via ODBC.

You could allow access to your tables by directly accessing these through a DLL. This does the connection as a certain group/role and does specific actions you require. This is no longer 'open'/ODBC but then 'open' system are supposed to make life easier for everyone and unfortunately for more people than you want.

Jon

-
Jon Machtynger (800 different beers a good enough excuse to move here??) jonm_at_ingres.com

ASK Group nv           _/_/     _/_/_/  _/  _/     
Excelsiorlaan 25      _/ _/    _/      _/ _/        Brussels
B-1930 Zaventem       _/_/_/   _/_/_/  _/_/_/       Belgium
Tel: (2)716.32.11    _/   _/      _/  _/   _/        
Fax: (2)725.46.50   _/    _/ _/_/_/  _/     _/