Please Help !! I Need to protect my data

[riter2k]

Hi

I am thinking of an application that may have VB at the front end and may be access as database at the back end. My application will have the exe of the VB project and a database as usual.

But the most important part is, the database will contain tables filled with lucrative data. I badly need to protect my data from any fradaulant activity. I can protect an MSaccess database by password but they can be easily hacked. As further precaution, I may even encrypt the data and decrypt it during execution. But, still I am not feeling very comfortable.

Is there any better method ? I have seen applications that appears to pack database within the exe itself. Can anyone suggest how to do it, if it can be done at all. Please Help.

With regards

riter2k

[szlamany]

Welcome to the forum!

We do medical processing software - we use MS SQL Server as the backend.

We do this because MS SQL Server has STORED PROCEDURES - these allow the VB client program to talk to the database with basically a "function" call - no direct access to tables at all.

A user cannot open a table - see a table, update a table. They can try to connect to the database with EXCEL, for instance, but will get no where.

That system level security is the reason we use MS SQL Server.

Since we use STORED PROCEDURES, we can come up with many different ways of securing data access from the database to the VB-client program.

[si_the_geek]

In terms of MS Access, there is no way of protecting your data to a reasonable degree unless it is very well encrypted, as well as using as many of the options available to you (like the database password). Unforunately all security methods I have seen for Access (other than enryption done entirely by a separate program) can be broken in a small amount of time.

I don't know how you would add the database to the program (I think you need to check out "resource files", as discussed many times on this site), and I don't think that Access would be keen to run like that anyway.


I would agree with szlamany that a different ("proper") DBMS is the way to go. SQL Server (or the free cut-down version, MSDE) would be good, as would a few of the other 'big' DBMS's.

[-TPM-]

If you want to use Access all you need to do is have a server app that access the DB gets the data and returns it to the clients. I'd recomend useing a full SQL server if you can, apart from security it'll run a lot faster. I WOULD"T recomend MSDE, apart from limited DB size, no GUI, 5 connection limit if MS catch you using MSDE for a production app. you'll get a HUGE fine. If you want a free DB I'd recommend MySQL.

[szlamany]

If you want to use Access all you need to do is have a server app that access the DB gets the data and returns it to the clients. I'd recomend useing a full SQL server if you can, apart from security it'll run a lot faster. I WOULD"T recomend MSDE, apart from limited DB size, no GUI, 5 connection limit if MS catch you using MSDE for a production app. you'll get a HUGE fine. If you want a free DB I'd recommend MySQL.

MSDE can be used for a commercial application.

It slows down after 8 concurrent users are connected - that's the way MS enforces the "low-use" requirement.

If you purchase MS SQL Developers edition (about $50 US) you get all the management tools for the MSDE instance - so you the developer can manage it - just not the customer.

[si_the_geek]

I've been beaten again!

Anyway, here's the official word on it - you can use it for a production app, and re-distibute it (subject to a few minor conditions):
http://www.microsoft.com/sql/msde/howtobuy/msdeuse.asp

..and the offical wording for 8 concurrent users before slowdown (maximum 32k users):
http://msdn.microsoft.com/library/?u...asp?frame=true


MySQL is however a valid alternative (so I've heard anyway!).

[-TPM-]

I swear the license agreement said no comercial use last time I checked.... That was a while ago though. You are limited to 5 concurrent batch connections though 25 for web. Even so I'd still go with MySQL over MSDE.
Here's a decription of the limitations:
http://www.teratrax.com/articles/msd...ql_server.html

[riter2k]

Hello everybody

Thank you all for your valuable answers. However, I am very sorry for making a small mistake in my posting. The database will be prefilled with data and the
application & database together will be distributed in CD form ( as in CD based Telephone directory). That means I need a database that would be portable. I think MS sql server is not that portable and So I chose MS Access.

It appears to me, as suggested by Si the Geek, the encryption of the data is the only choice left. Yes, I have thought of it as atleast the last choice.

As of now, I have a very limited idea how the encryption and decryption works. As far my idea goes, if my application reads only record by record, then it can read individual records from the tables and decrypt the record by my application and display. However, it cannot not be suitable as I need to filter or sort according to different choices of users to display it. But, sorting and filtering on the encrypted data cannot have the same results as it is on the original one, I suppose.

Otherwise, I am to create a temporary database somewhere, decrypt all the data there, then connect to that temporary database to retrieve and subsequently Kill the database as the application is closed. Am I right ?

However, can the location of the newly created database be easily traced while the apllication is on ?

Thanking you all once again

[vincentg]

I got a similar application like riter2k. VB Front MS Access back.
To have some little security. I just put some password on the MBD file which anybody could see where my database is (if they really look for it...)
but they still have to figure out what is my password...

[-TPM-]

Well if it's on a CD you don't need to worry about it being changed...
If your worried about people accessing the data(who shouldn't be able to) perhaps you could use webservices or remoting to retrieve this data from your server.

[si_the_geek]

But, sorting and filtering on the encrypted data cannot have the same results as it is on the original one, I suppose.

Otherwise, I am to create a temporary database somewhere, decrypt all the data there, then connect to that temporary database to retrieve and subsequently Kill the database as the application is closed. Am I right ?

However, can the location of the newly created database be easily traced while the apllication is on ?

You are right about not being able sort/filter the encrypted data (but you could filter exact matches, by encrypting the query text).

A temp database (encrypt the whole file, and decrypt to the temp folder of the hard drive) is a good idea for re-enabling these, but the location can be traced if people have monitoring tools (there are several examples of code on this site to see any new files added to a drive).

Also, you could re-name the file (it doesnt actually have to be *.mdb), and that will deter most people.


There's nothing I can think of that would be particularly secure, but using these two options combined is probably about the best you can do in this situation.

[szlamany]

Why are you wanting to use a database?

I would consider loading the encrypted data into arrays - decrypt in memory - and perform in memory sorts and searches.

Back in the old days, that's all we had

[si_the_geek]

Very good point

I guess the only likely difference would be a loss of speed, and maybe not much either.


(It's kind of worrying I forgot about the old days!)