Re: Oracle in Visual Basic

From: Volker Hetzer <firstname.lastname_at_ieee.org>
Date: Thu, 12 Oct 2006 18:38:39 +0200
Message-ID: <eglr2f$s36$1@nntp.fujitsu-siemens.com>

claudio.torres_at_gmail.com schrieb:
> Thanks JonWat.
>

>> Can they get it from your DLL? Quite possibly. If your DLL stores, for
>> example, an array which has the Application name and the
>> username/password with which to log on, then someone with a text editor
>> can find it in your DLL.

>
> The new DLL works this way.
>
> 1. The dll is instantiate in the application.
> 2. You setup a property of the DLL with a value corresponding to the
> application that is requesting a connection.
> 3. The dll takes the application value and executes a query to get the
> server, username and password (encrypted) from a schema in a database.
How does it the login credentials for that request?

> Before this, everybody (developers, managers, even users) knew the
> usernames and passwords for the production machines. Any one could
> connect and delete or do any thing. No security at all.
Then your applications are done wrong.
At the worst, you have one db-user per application role and the database makes sure that no user can do things he/she should not do. Separate schema owners and schema users. The schema owner credentials are known to those who can authorize schema changes and the user credentials to those who can enter data. Then you make sure (by using grants, packages, updateable views and so on) that a user can only execute legitimate requests and you won't need to resort to your kind of hacker stuff.

Lots of Greetings!
Volker

-- 
For email replies, please substitute the obvious.

Received on Thu Oct 12 2006 - 11:38:39 CDT