Frank Millman wrote:
> Peter Hansen wrote:
>
>>Frank Millman wrote:
>>
(snip)
>>>The only truly secure solution I can think of would involve a radical
>>>reorganisation of my program
>>
>>Please define what "truly secure" means to you.
>>
>
>
> Fair question. I am not expecting 'truly' to mean 100% - I know that is
> impossible. I will try to explain.
>
> Here are some assumptions -
> 1. A system adminstrator is responsible for the system.
> 2. There is a single userid and password for connecting to the
> database. This must be stored somewhere so that the client program can
> read it to generate the appropriate connection string. The users do not
> need to know this userid and password.
> 3. Each user has their own userid and password,
> which is stored in the
> database in a 'users' table. I use this in my program for
> authentication when a user tries to connect.
Why not simply using the security system of your RDBMS ? If you set up
appropriate privileges in the RDBMS, you won't have to store any
userid/password in the program, and no user will be able to bypass
anything, even if connecting directly (like with a CLI DB client) to the
RDBMS.
> [snip]
>
>
(snip more)
>
> I am not concerned about anyone reading my code - in fact I am looking
> forward to releasing the source and getting some feedback.
>
> My concern is this. I have all this fancy authentication and business
> logic in my program. If someone wants to bypass this and get direct
> access to the database, it seems trivially easy. All they have to do is
> read my source, find out where I get the connection string from, write
> their own program to make a connection to the database, and execute any
> SQL command they want.
That's why RDBMS have an authentication and security system. This
doesn't means your program doesn't have or cannot add it's own security
management, but it should be based on the RDBMS one.
--
bruno desthuilliers
python -c "print '@'.join(['.'.join([w[::-1] for w in p.split('.')]) for
p in '[EMAIL PROTECTED]'.split('@')])"
--
http://mail.python.org/mailman/listinfo/python-list
