Re: vb & mssql apps : security issue

From: ^Crazy Coder^ (saba_at_clubrt.com)
Date: 05/08/03 

Date: Thu, 8 May 2003 17:05:53 +0700

oh i c
lots thanks David ..

that should be work!, i can smile now <g>
^CrazyCoder^

"David Portas" <REMOVE_BEFORE_REPLYING_dportas@acm.org> wrote in message
news:eqOTLGUFDHA.1744@TK2MSFTNGP09.phx.gbl...
> So use Windows Authentication rather than SQL Authentication to give the
> basic level of access to your database. Then, once you have achieved the
> required user-authentication, you can connect using a SQL login / app role
> to give the required level of access.
>
> > so I let MS-SQL itself deal with uid/pw,
> If you don't want to give the user the password and don't want to put it
in
> the program then you really have no choice but to code your own
> authentication something along the lines I described.
>
> --
> David Portas
> ------------
> Please reply only to the newsgroup
> --
>
> "^Crazy Coder^" <saba@clubrt.com> wrote in message
> news:eJoCoaPFDHA.2312@TK2MSFTNGP10.phx.gbl...
> > Dear all,
> >
> > Lots thanks for reply, ..
> > this is serious to me, to everyone actually.
> > That's why I posted up this issue:
> >
> > Remember, my technic :
> > - Since I don't know where to deal best about security issue,
> > so I let MS-SQL itself deal with uid/pw,
> > then my apps should be secure as the host could provided.
> >
> > - My user (who have trusted to log-in and use 'my program') still can't
> get
> > access to any of TABLEs, block them not to see any of confidential data!
> > when they're not using 'my program'
> >
> >
> > here is my codes:
> > >
> > > '//[1] - check whatever he/she is valid on MS_SQL user
> > > DBConn1.Properties("User ID").Value = txtUserName.Text
> > > DBConn1.Properties("Password").Value = txtPassword.Text
> > >
> > > On Error GoTo SQL_LOG_ON_ERROR
> > >
> > > DBConn1.Open
> > > On Error GoTo 0
> > > DBConn1.Close
> > >
> > > '//[2] - if yes, re-open using my internal account
> > > '// that have right_r/w on my inv database
> > > DBConn1.Properties("User ID").Value = "my_apps_uid"
> > '>>>here!! .. is danger zone :(
> > > DBConn1.Properties("Password").Value =
> > "somethingOhThatWouldBeNOTtooEazy"
> > >
> > > DBConn1.Open
> > >
> > >
> > >
> >
> > After afew days after posted, I sill keep thinking.
> > And I still don't know where to secure uid/pw on my complied code above.
> >
> > ^CrazyCoder^
> >
> >
> >
> > "David Portas" <REMOVE_BEFORE_REPLYING_dportas@acm.org> wrote in message
> > news:#nVUNULFDHA.1924@TK2MSFTNGP11.phx.gbl...
> > > > You could have the password an encryption of the username. As long
as
> > they
> > > > don't have a copy of the encryption algorithm you use (i.e. keep
your
> > > source
> > > No. Good practice is to assume that the algorithm is known. If you
code
> > your
> > > own encryption it should be one of the standard, published algorithms
> > > anyway. Most likely running in the MS CryptoAPI.
> > >
> > > > .. Then, you don't even need to know the
> > > > password, just the username....
> > > You said it! So if the username is stored in your database and it
isn't
> > > encrypted then how secure is that?
> > >
> > > --
> > > David Portas
> > > ------------
> > > Please reply only to the newsgroup
> > > --
> > >
> > > "Stephen J Whiteley" <hackateerTHEYAAHHOOOatyahoo.com> wrote in
message
> > > news:O0YaD8KFDHA.1984@TK2MSFTNGP12.phx.gbl...
> > > > You could have the password an encryption of the username. As long
as
> > they
> > > > don't have a copy of the encryption algorithm you use (i.e. keep
your
> > > source
> > > > code secure) you should be set. Then, you don't even need to know
the
> > > > password, just the username....(have an application that can create
a
> > new
> > > > username/password combination for the database).
> > > > ...just a thought.
> > > >
> > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Web request with an existing cookie...
    ... Thank you for your comments David. ... an asp website that is using forms authentication. ... What I would ideally like to do is manually login to ... the site to get the cookie on my hard drive then kick off my app using this ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: IIS7 Basic Authentication question
    ... sent to IIS7 where I should specify list of login/passwords which IIS7 should ... IIS7 authentication is integrated with Windows. ... organization that has multiple people named David, ... and domain/realm, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Help please to authenticate Windows users
    ... David, thanks very much for your help. ... > Windows Authentication automatically works if the machines are joined to the ... > as-is, using Windows Authentication. ... Is VS.Net on the same machine as IIS ...
    (microsoft.public.inetserver.iis.security)
  • Re: Using both Forms and Windows Security...
    ... Hello David, ... configured just for windows authentication. ... user back to the login page to create the authentication cookie. ... | Subject: Re: Using both Forms and Windows Security... ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Using Widows Authentication and accesssing SQL with SQL Authentication
    ... I am providing SQL authentication in my connection string. ... followed the following link to specify the connection string. ...
    (microsoft.public.dotnet.framework.adonet)