List:MySQL ODBC« Previous MessageNext Message »
From:Ed Carp Date:September 4 2002 4:30am
Subject:FW: myodbc & VB
View as plain text  
-----Original Message-----
From: Ed Carp [mailto:erc@stripped]
Sent: Tuesday, September 03, 2002 9:36 PM
To: John Calder
Cc: lists.mysql.com!myodbc@stripped
Subject: Re: myodbc & VB


On Wed, 4 Sep 2002, John Calder wrote:

> At 17:16 3/09/2002 -0700, you wrote:
> >I'm running into a bit of a "chicken-and-egg" problem with regards to
> >security: if I implement "my own" security scheme, anyone who can
"inspect"
> >the object code could conceivably learn the userID/password I'm using to
> >connect to the database and therefore circumvent my application security.
>
> I suggest that you go with your "my own" security scheme but make up
> some kind of simple encryption formula so any constants in your object
> code are the input to *your* process which delivers the MySQL login
> UserID/Password. I can't be more specific than this cos I don't want to
> publish too many clues as to how we do this in our apps!

It shouldn't be hard to figure out - weak encryption is worse than no
encryption at all.  You may want to consider abandoning your simple
encryption methods for something more secure, instead of relying on
"security through obscurity".

That being said, a more secure way to do this is to establish an SSL
connection to the server, then send a query, returning the required
information via the SSL pipe.  An example of how we do this in one of our
more secure applications:

1. Get login/password from the user.
2. Send to server via
"https://server/get_db_login_passwd.esp?LOGIN=userlogin&PASSWORD=userpasswor
d"
This can be some sort of ASP, Perl, or Escapade script - I strongly advise
against using PHP unless you're either on a dedicated server or are using
the cgi-php secure wrapper.  We use Escapade here, but again, you can use
almost anything as long as it's reasonable secure.

3. Look at return string from browser object.  If blank, user has supplied
incorrect credentials.
4. If not blank, return string contains host/database/login/password
information.
5. Open connection to database.
6. Proceed as normal.

The information that is used to establish the MySQL connection is only
contained in memory, and isn't stored anywhere.  After the connection is
established, the variables are cleared.  Pretty secure, I think - but
you're welcome to point out any weaknesses.

If you'd like, I can send along VB code that does this, if it would be
helpful.
--
Ed Carp, N7EKG          http://www.pobox.com/~erc               214/986-5870
Director, Software Development
Escapade Server-Side Scripting Engine Development Team
Pensacola - Dallas - London - Dresden
http://www.squishedmosquito.com



Thread
FW: myodbc & VBEd Carp4 Sep