Results 1 to 4 of 4

Thread: Connection hijack to server

  1. #1

    Thread Starter
    PowerPoster make me rain's Avatar
    Join Date
    Sep 2008
    Location
    india/Hubli
    Posts
    2,208

    Connection hijack to server

    It is a night mare
    My MySQL 2 Tier database application written in vb.net connects to my database
    the user privileges & security is handled by mysql it self with appropriate rights ( SELECT , UPDATE , INSERT & DELETE )
    all are fine

    THE NIGHT MARE IS
    one of the client user has installed the MySQL client on his terminal and connected to MySQL server over the network with his UserId and Password and does all nonsense.
    the tonnes of business logic gone into vein.

    How do i tackle such situation please
    , do I need to alias the user details ? Or else ???
    The averted nuclear war
    My notes:

    PrOtect your PC. MSDN Functions .OOP LINUX forum
    .LINQ LINQ videous
    If some one helps you please rate them with out fail , forum doesn't expects any thing other than this

  2. #2
    Super Moderator si_the_geek's Avatar
    Join Date
    Jul 2002
    Location
    Bristol, UK
    Posts
    41,929

    Re: Connection hijack to server

    If you give the users database logins, they can do whatever they like (based on the limits you have set in the database security, which is anything your application does, and anything else it has permission to do but doesn't have code for).

    If you give the application a database login, some users can still do anything they like - but it takes more effort to find out the database login (most users wont be able to do it).


    In order to restrict them properly, you need to also restrict your application to the same limits.

    The usual thing to do is create Stored Procedures to do the work (eg: some to run particular Select statements and return the results, some to add/edit/delete data, and anything else), then create a new user in the database and give it permission to only run the Stored Procedures. You then use that login from your application.

  3. #3

    Thread Starter
    PowerPoster make me rain's Avatar
    Join Date
    Sep 2008
    Location
    india/Hubli
    Posts
    2,208

    Re: Connection hijack to server

    Thanks for reply geek
    Is there any other way out , I mean aliasing the login user names behind the screen ( I mean user XXX on front end means 5678 in the back end. The true user name ) or some thing like this.
    How the big data apps handle this, can we incorporate
    Thanks geek again
    The averted nuclear war
    My notes:

    PrOtect your PC. MSDN Functions .OOP LINUX forum
    .LINQ LINQ videous
    If some one helps you please rate them with out fail , forum doesn't expects any thing other than this

  4. #4
    Super Moderator si_the_geek's Avatar
    Join Date
    Jul 2002
    Location
    Bristol, UK
    Posts
    41,929

    Re: Connection hijack to server

    Quote Originally Posted by make me rain View Post
    Is there any other way out , I mean aliasing the login user names behind the screen ( I mean user XXX on front end means 5678 in the back end. The true user name ) or some thing like this.
    That would not protect your data at all... it would just make it easier to work out who did the damage.

    How the big data apps handle this, can we incorporate
    Using the kind of method I described above.

    Details vary depending on the circumstances (eg: if the database is on a web server, you should also use a Web Service), but the idea remains the same.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width