Perhaps someone can provide me with some of his or her experiences if looking at MySQL to implement a “secure from structure manipulation” in a commercial application using MySQL.
I am currently evaluating the possible migration of my app to MySQL as the basis. I already have tested the creation of structures and exporting of the 100+ tables and looked at viewing the data via Delphi on internal networks and over dial-up lines. I have also viewed the creation of “Open Database” copies that users can do What If analysis and structure manipulation with. This has been a successful start I am pleased to say Part of my is into the security of the data structures. I need to know that the creation of a structure and data I use that users/hackers would 1) not be able to access and manipulate the data structures and 2) only access the data according to the user definitions set under my applications administration utilities. The reason for this is that the data I deal with is both sensitive and relatively complex in its relationships. Data Integrity is vitally important. I do not want anyone having the chance of manipulating the “live” data structures and data other than via the application. That is not to say that users cannot manipulate their own data. In a controlled environment I currently provide an “export” of the data to an open format (which now includes MySQL) that users can manipulate in any way, manner or form they like. It is only the Live data that needs to be closely controlled and handled. This model has proved successful over the last 13 years but I am now looking for a new database engine. The pricing model is understood and am happy with the Commercial License approach and with me looking to roll out 200+ licenses over a 24 month period, this is not an issue. The issue is can it work in a similar controlled manner as my current application. If not where are the issues and can I live with the differences. One worry is the ability for users/hackers etc to overlay the user access database i.e. “what to do if you forget the administration password” scenario. This procedure will then allow open access to the data structures and the information of the application and the “live” data. I need to block this capability. What have others done to keep data structure security within their control only? Being a Windows house I am really only looking at the Windows version (at the moment). I use other high level languages, which doesn’t include C++ i.e. I don’t have the compiler to “make my own special MySQL version”. I don ’t really want to create my own special binaries anyway. I am not sure what encryption models are available. An external encryption library isn’t really useful because this would block users using 3rd party report writers to gain read-only access to the data structures to write their reports. If an internal encryption mechanism is available then I would like to hear about it. Sorry about the message length, but I am trying to give a little bit of background to cover the more obvious “Why don’t you …” or “Do you …” questions. Regards Kerry
