April 10, 2002 at 10:06 am
We have a vb front end to our database that is currently using User DSN's with an appropiate login for SQL. Right now the administration is not bad, but I don't want to have an indepedent SQL login for every user.
What is the best way to connect to SQL (using VB6) and not having to create an individual SQL login for each user?
April 10, 2002 at 10:34 am
You can share one SQL login by embedding it in the app (password too if you want). The alternative is to use NT security where access is based on their login. NT is the better route, but only if you've secured your data well. If you're granting table level access via NT and someone nows how to use MS Query, they can bypass your app and edit the data directly. We use sql logins for internal apps, one login per app normally, works fine.
Andy
April 10, 2002 at 12:36 pm
quote:
You can share one SQL login by embedding it in the app (password too if you want). The alternative is to use NT security where access is based on their login. NT is the better route, but only if you've secured your data well. If you're granting table level access via NT and someone nows how to use MS Query, they can bypass your app and edit the data directly. We use sql logins for internal apps, one login per app normally, works fine.Andy
I see your point. Thank you very much!
April 10, 2002 at 12:43 pm
quote:
quote:
You can share one SQL login by embedding it in the app (password too if you want). The alternative is to use NT security where access is based on their login. NT is the better route, but only if you've secured your data well. If you're granting table level access via NT and someone nows how to use MS Query, they can bypass your app and edit the data directly. We use sql logins for internal apps, one login per app normally, works fine.Andy
I see your point. Thank you very much!
You know that I think about it, how would one monitor database activity with a single login account. Will I still be able to use, say SQL Profiler to monitor user connections? Won't it show the same user with x amount of connections?
April 10, 2002 at 4:54 pm
They'll still show up as separate connections. You wont be able to tell who the actual user is though, most you'll get is the computer name - which is usually good enough!
Andy
April 29, 2002 at 3:11 pm
Try using Application role
Give me a fish, you feed me for a day! Teach me to fish, you feed me for a life time.
April 29, 2002 at 7:55 pm
App roles arent my favorite. You still have to have the password embedded in the app.
Andy
April 30, 2002 at 4:54 am
Note on app security when embedding the password to a single account inside. If you are real concerned with security a few things to keep in mind about apps are the way constants and other code bits are stored. Even when compiled you can sometimes see some of the constants and code if you open the exe in notepad or other text editor. For safety take a look and see how easy it is to spot. The average user want know what they are looking at but some might. Not all is encrypted so make sure you are not giving pointers inside the code that expressly give away any value. Also we use a method here of encrypting the password and having a decrytor in the code to make it complicated to find. Just want to make sure you know of this loophole and are prepared for it.
"Don't roll your eyes at me. I will tape them in place." (Teacher on Boston Public)
April 30, 2002 at 5:40 am
Totally agree with that point. Any type of simple obfuscation is worth doing to prevent this kind of casual snooping.
Andy
May 1, 2002 at 1:02 pm
quote:
Totally agree with that point. Any type of simple obfuscation is worth doing to prevent this kind of casual snooping.Thank you very much for all of your information!
Andy
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply