[Gambas-user] A dude about Gambas

Benoit Minisini gambas at ...1...
Wed Jan 18 16:06:06 CET 2006 

On Wednesday 18 January 2006 15:52, Dani Santos wrote:
> Hello
>
> El mié, 18-01-2006 a las 12:40 +0100, juan escribió:
> > Hello
> > Just a question about your problem.
> > I'm not sure but Is it not better to create a table with user and
> > password in sql and later from gambas check that table and in base to
> > that you can control the access level also?.
>
> Yes that's true. I've already considered that.
>
> > It's just a suggestion, but it is not a good idea to hard code a
> > password, if a somebody gess it or discover it from a teacher you will
> > have to change  it on you code and it is not a good idea.
>
> That's the problem. It isn't a good idea to do it but... ¿how to do it?
> Let's suppose that the application is named GambasLibrary and it store
> the host, user and passwd in a ~/.GambasLibrary file.
>
> An user can do:
> $ cat ~/.GambasLibrary
> DBHost=172.19.243.2
> DBUser=jander
> DBPasswd=clander
>
> $ mysql -u jander -p -h 172.19.243.2
> Password:clander
> mysql> delete from books;
>
>
> Oh! I've got a problem and I can assure you that I cannot trust in my
> users :)
>

There is no real solution for that problem. If your application can access the 
database, then the user can too. It just a matter of getting the needed 
information. By tracing what is sent by the application on any socket, you 
will get the user and password, whatever you the way you store them.

You can just hope:

1) That your users are not very clever. Then you can just store the password 
in an encrypted format, and decrypt it in your application. Do not choose a 
too easy algorithm.

2) That your users do not read this mailing-list and won't read the public 
archive :-)

Another solution is making a Gambas front-end server between your application 
and the database. This front-end will be located on the server, and only this 
front-end will be allowed to talk to the database. Your application will ask 
the front-end to send commands to the database, and will receive the result.

Then, users will be able to access the database only if they can log on the 
server.

Regards,

-- 
Benoit Minisini

More information about the User mailing list