VB6 - SQL - db STOLEN!

[mlist]

I need to get a VB6 application developed that will be deployed to over a 1,000 end users. Their application data will not be stored locally but on a central SQL db on a server through internet. Each user can view and update certain information on the db.

The problem is, the SQL db username and password cannot be hard-coded into the application as the password may change anytime.

And if the password is kept on a file either on the client machine or on the server then anyone can view the db username and password and STEAL all the db content!

How to protect the db username and password and also allow the Admin to change those 2 values without having all the users to update their application?

[mlist]

I found this solution on another forum to a similar problem:

"Opening up a database for local program access is a huge security nightmare if you are going to connect directly to the database. The best thing to do would be to create another layer and actually pass your arguments to an ASP or PHP or PERL page on the web server, which would then pass to the database, then the database would return information to a new PHP, ASP or PERL page and you could get the information from there. Otherwise you are going to have security problems."

Is using an ASP page the best way? Bcos I already have the ASP pages that the program is going to replace. But won't that affect the speed of the application?

If this is indeed the best solution, then how can the application connect to the online ASP script and grab the results, and show a progress bar while the data is being collected?

[Krenshau]

You could store the username and password in a collection to store the username and password in the code and make it so that if the username or password needs to be changed you have a txtbox for the old username and one for the new and before the username can be changed to the new one, the old one must match the one in the txtbox must match the one in the collection.

I hope that made sense.

[mlist]

that won't work...the username and password are of the main SQL db, not the client's. The client should not even know that such a u/n and pass exists. That pass is the key to whole db where the data of thousands of clients is stored.

[naruponk]

Ideas :
you may store username and password on SQL as encrypted character. I know that who can view DB they also can see the encrypted password.

[si_the_geek]

Why does the password need to change? If the user is an SQL Server login (as opposed to a Windows login) then the password can stay the same.

Anyway, if the password needs to change (or you want it to):

As you can't connect to the database without a password, I would recommend storing he username/password in an encrypted file on a server (dont give it an obvious name, or extension).

Your program can get this file, then decrypt the contents, and then connect to the database.

You only need to download the file when it changes (check the date if you can, or just wait for a login failure), but it wont be so big that it will slow things down too much if you get it every time.

As you will probably want to keep the login info at the client (securely), you can just store the encrypted file along with the application.

[szlamany]

A SQL database open to a VB program over the internet - that's dangerous.

Is secure connections to the server out of the question? VPN for example?

[naruponk]

Original posted by szlamany
A SQL database open to a VB program over the internet - that's dangerous.

I'm going to use Vb program over internet......
What's the best way to use server-client over internet?
If i have server at headquarter and another branch is on other place.
what's most proper way to connect to server from branch's client computer
using SQL Server?

Please give me some advise
Thanks

[mlist]

A SQL database open to a VB program over the internet - that's dangerous.

Is secure connections to the server out of the question? VPN for example?

how can it be dangerous? Whether it is a VB program or any other language program, if the requirement of the application is store the information centrally in a SQL db, then Microsoft must have thought of such a situation and provided some way to make this possible.

Problem is, I don't know what M$ has thought of and how they have made it secure so that no one can hack into the central SQL db.

any thoughts?

[szlamany]

From what I have seen, SQL Server DB's are accessed on local networks by VB6. In that realm the recommended access is by WINDOWS AUTHENTICAION (integrated security) - never the use of SQL authentication.

Since you do not have that situation, you must research your options.

Here's a good link at the MSDN site on securing .NET applications.

http://msdn.microsoft.com/SQL/sqlsecurity/default.aspx

[mlist]

since VB6 has been around for so many years, isn't there a standard set for accessing online SQL db's by now??

[szlamany]

since VB6 has been around for so many years, isn't there a standard set for accessing online SQL db's by now??

You ask this question as if you think that online SQL db's have been around for a long time.

MS markets .NET (ado.net, vb.net and all the other .net stuff) at this online SQL world.

The type of data we maintain with out VB apps would not lend itself to online access - student records, health records - stuff like that.

Whenever an administrator or user wants online access, the IT dept give them VPN access to the internal network.

Sorry I cannot help you any further.

[Hack]

since VB6 has been around for so many years, isn't there a standard set for accessing online SQL db's by now??

There are web based features built into VB6, but primarily it is a desktop development language.

If you are going to deploy an application across the web, why are you using VB6 as opposed to ASP or HTML or some platform designed for web use?

[mlist]

The application needs to store some data in user's computer and other data like his name, pic and email address on a central SQL db. It's like a friends' network application where other users will be able to access the details of other users.

Since VB6 is not meant for internet access to SQL, then can we have the application connect to an online ASP page that will connect to the db and pass on the details to the application? Or has this been tried before and failed due to speed or other issues?