-
Nov 16th, 2014, 06:59 AM
#1
Thread Starter
PowerPoster
Connection hijack to server
It is a night mare
My MySQL 2 Tier database application written in vb.net connects to my database
the user privileges & security is handled by mysql it self with appropriate rights ( SELECT , UPDATE , INSERT & DELETE )
all are fine
THE NIGHT MARE IS
one of the client user has installed the MySQL client on his terminal and connected to MySQL server over the network with his UserId and Password and does all nonsense.
the tonnes of business logic gone into vein.
How do i tackle such situation please , do I need to alias the user details ? Or else ???
-
Nov 16th, 2014, 03:12 PM
#2
Re: Connection hijack to server
If you give the users database logins, they can do whatever they like (based on the limits you have set in the database security, which is anything your application does, and anything else it has permission to do but doesn't have code for).
If you give the application a database login, some users can still do anything they like - but it takes more effort to find out the database login (most users wont be able to do it).
In order to restrict them properly, you need to also restrict your application to the same limits.
The usual thing to do is create Stored Procedures to do the work (eg: some to run particular Select statements and return the results, some to add/edit/delete data, and anything else), then create a new user in the database and give it permission to only run the Stored Procedures. You then use that login from your application.
-
Nov 16th, 2014, 08:57 PM
#3
Thread Starter
PowerPoster
Re: Connection hijack to server
Thanks for reply geek
Is there any other way out , I mean aliasing the login user names behind the screen ( I mean user XXX on front end means 5678 in the back end. The true user name ) or some thing like this.
How the big data apps handle this, can we incorporate
Thanks geek again
-
Nov 17th, 2014, 03:00 AM
#4
Re: Connection hijack to server
Originally Posted by make me rain
Is there any other way out , I mean aliasing the login user names behind the screen ( I mean user XXX on front end means 5678 in the back end. The true user name ) or some thing like this.
That would not protect your data at all... it would just make it easier to work out who did the damage.
How the big data apps handle this, can we incorporate
Using the kind of method I described above.
Details vary depending on the circumstances (eg: if the database is on a web server, you should also use a Web Service), but the idea remains the same.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|