When I add a new user to my server I usually tick
Read
Insert
Update

I have never really give it much thought until today.
I'am working on a Betting app for a bookie friend
of ours and it needs to be secure.
So I added a user
Username : Al Capone
Password :  Scarface001A

Everything worked as expected then it dawned on
me what if I logged on to the server at the remote
address using his details via Dbsys.
I did and I could edit the tables and therefore could
change Al's bets so they won.

I guess I will now have to write the permissions into
my app so if anybody is savvy enough to figure out
how to do it cant get in via dbsys except for read only.

Any pointers for this would be welcome thanks.
Rita

Rita,

You can password protect each table. They can't open the table easily
through DBSys without the password. Would that work for you? In your
app you would only have to use the session AddPassword method in the
Password event of the data module.

procedure TdatamoduleYourApp.SessionYourAppPassword(Sender: TObject;
 var Continue: Boolean);
begin
 SessionYourApp.AddPassword(password);
end;

--
Jan Ferguson


Rita wrote:

> Everything worked as expected then it dawned on
> me what if I logged on to the server at the remote
> address using his details via Dbsys.
> I did and I could edit the tables and therefore could
> change Al's bets so they won.
>
> I guess I will now have to write the permissions into
> my app so if anybody is savvy enough to figure out
> how to do it cant get in via dbsys except for read only.
>
> Any pointers for this would be welcome thanks.
> Rita

procedure TdatamoduleYourApp.SessionYourAppPassword(Sender: TObject;
 var Continue: Boolean);
begin
 SessionYourApp.AddPassword(password);
end;


I guess that is all in the manual somewhere but I just dived in 10
years or so ago found DBIsam so easy to use and setup I never
thought how easy it would be for a savvy user to alter the tables
via DBSys. The only app I have using CS is on Lans and the finance
stuff is separate.
Very nice thank you Jan now all I need is an EXE packer that cant
be unscrambled.
Rita

Rita,

<< Any pointers for this would be welcome thanks. >>

If you use a custom engine signature with the DBISAM Database Server, then
he won't be able to use a standard copy of DBSYS to login to the server,
only your application that "knows" the custom engine signature.  This will
keep the casual user out, but money can cause people to do strange things,
so I wouldn't rely on this if you think that someone will try to discover
the signature by hacking around the .exe.  Of course, you'll also have any
log of that user name logging in/out of the DBISAM Database Server via the
server log, but that won't tell you whether the person did so via your
application or DBSYS.

--
Tim Young
Elevate Software
www.elevatesoft.com

Thanks Tim I have found a way to hide
the password in the exe I have tried and
tried to find it but cant. As I know where
it is in the exe before I hid it and know
what it is I should be able to find it.
I did not use a packer as u can unpack the
exe also.
Buggered if i can find it tho one last try
with hex editor.
Rita

Rita,

<< Thanks Tim I have found a way to hide the password in the exe I have
tried and tried to find it but cant. As I know where it is in the exe before
I hid it and know what it is I should be able to find it. I did not use a
packer as u can unpack the  exe also. Buggered if i can find it tho one last
try
with hex editor. >>

If you've hid it enough that it can't be easily found with a hex editor,
then that should keep casual hackers at bay, but the more hard-core hackers
will simply reverse-engineer the .exe and find out where it's being loaded
from.  It's up to you to decide if the people using your software will have
access to that type of hacker.

--
Tim Young
Elevate Software
www.elevatesoft.com

It's up to you to decide if the people using your software will have
access to that type of hacker.

Yes I ran a disassembler and figured it out. So now my next move
is to figure out how to assign the session password word to a
user who has a server account.

Either that or execute everyone on the planet with criminal minds
oops Ritas gone

Or just leave it and hope our bookie friend or fiend does not get
attacked. Although I have EDB I dont know if the username
password thing is the same please someone enlighten me.

Rita

Rita


Just remember - all you have to be is on the right side of the cost benefit equation. If its going to cost them more than they're going to get from it they won't go on.

I use two or three levels of obfustication. Not bullet proof but it makes it difficult.

Roy Lambert

I use two or three levels of obfustication. Not bullet proof but it makes it
difficult.

Yea but No but ;-(

Grrrrrr the problem is Roy suppose you download an app from your bookie
say one of the big guys like Ladbrokes.
Then you discover its using DBIsam and you can see the remote tables,
would you be tempted to take a peek ?
I would most would but would I alter my balance I doubt it. If however
some compulsive gambler has hit rock bottom and maxed out his cards
then they would.
So I guess I should do as Tim suggests and fiddle with the engine.
Rita

Rita

>Grrrrrr the problem is Roy suppose you download an app from your bookie
>say one of the big guys like Ladbrokes.
>Then you discover its using DBIsam and you can see the remote tables,
>would you be tempted to take a peek ?
>I would most would but would I alter my balance I doubt it. If however
>some compulsive gambler has hit rock bottom and maxed out his cards
>then they would.
>So I guess I should do as Tim suggests and fiddle with the engine.
>Rita

Unfortunately even that means bedding a password in there somewhere.

Create your tables with a randomly created password and engine signature. Do not build them into your app in any way then no-one can get at the data

Roy Lambert [Team Elevate]