Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » DBISAM Technical Support » Support Forums » DBISAM Client/Server » View Thread |
Messages 1 to 10 of 17 total |
Permissions |
Thu, Dec 2 2010 6:12 PM | Permanent Link |
Rita Tipton | When I add a new user to my server I usually tick
Read Insert Update I have never really give it much thought until today. I'am working on a Betting app for a bookie friend of ours and it needs to be secure. So I added a user Username : Al Capone Password : Scarface001A Everything worked as expected then it dawned on me what if I logged on to the server at the remote address using his details via Dbsys. I did and I could edit the tables and therefore could change Al's bets so they won. I guess I will now have to write the permissions into my app so if anybody is savvy enough to figure out how to do it cant get in via dbsys except for read only. Any pointers for this would be welcome thanks. Rita |
Thu, Dec 2 2010 9:31 PM | Permanent Link |
Jan Ferguson Data Software Solutions, Inc. Team Elevate | Rita,
You can password protect each table. They can't open the table easily through DBSys without the password. Would that work for you? In your app you would only have to use the session AddPassword method in the Password event of the data module. procedure TdatamoduleYourApp.SessionYourAppPassword(Sender: TObject; var Continue: Boolean); begin SessionYourApp.AddPassword(password); end; -- Jan Ferguson Rita wrote: > Everything worked as expected then it dawned on > me what if I logged on to the server at the remote > address using his details via Dbsys. > I did and I could edit the tables and therefore could > change Al's bets so they won. > > I guess I will now have to write the permissions into > my app so if anybody is savvy enough to figure out > how to do it cant get in via dbsys except for read only. > > Any pointers for this would be welcome thanks. > Rita |
Fri, Dec 3 2010 8:28 AM | Permanent Link |
Rita Tipton | procedure TdatamoduleYourApp.SessionYourAppPassword(Sender: TObject; var Continue: Boolean); begin SessionYourApp.AddPassword(password); end; I guess that is all in the manual somewhere but I just dived in 10 years or so ago found DBIsam so easy to use and setup I never thought how easy it would be for a savvy user to alter the tables via DBSys. The only app I have using CS is on Lans and the finance stuff is separate. Very nice thank you Jan now all I need is an EXE packer that cant be unscrambled. Rita |
Fri, Dec 3 2010 11:54 AM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Rita,
<< Any pointers for this would be welcome thanks. >> If you use a custom engine signature with the DBISAM Database Server, then he won't be able to use a standard copy of DBSYS to login to the server, only your application that "knows" the custom engine signature. This will keep the casual user out, but money can cause people to do strange things, so I wouldn't rely on this if you think that someone will try to discover the signature by hacking around the .exe. Of course, you'll also have any log of that user name logging in/out of the DBISAM Database Server via the server log, but that won't tell you whether the person did so via your application or DBSYS. -- Tim Young Elevate Software www.elevatesoft.com |
Fri, Dec 3 2010 3:03 PM | Permanent Link |
Rita Tipton | Thanks Tim I have found a way to hide
the password in the exe I have tried and tried to find it but cant. As I know where it is in the exe before I hid it and know what it is I should be able to find it. I did not use a packer as u can unpack the exe also. Buggered if i can find it tho one last try with hex editor. Rita |
Tue, Dec 7 2010 2:01 PM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Rita,
<< Thanks Tim I have found a way to hide the password in the exe I have tried and tried to find it but cant. As I know where it is in the exe before I hid it and know what it is I should be able to find it. I did not use a packer as u can unpack the exe also. Buggered if i can find it tho one last try with hex editor. >> If you've hid it enough that it can't be easily found with a hex editor, then that should keep casual hackers at bay, but the more hard-core hackers will simply reverse-engineer the .exe and find out where it's being loaded from. It's up to you to decide if the people using your software will have access to that type of hacker. -- Tim Young Elevate Software www.elevatesoft.com |
Wed, Dec 8 2010 1:36 PM | Permanent Link |
Rita Tipton | It's up to you to decide if the people using your software will have
access to that type of hacker. Yes I ran a disassembler and figured it out. So now my next move is to figure out how to assign the session password word to a user who has a server account. Either that or execute everyone on the planet with criminal minds oops Ritas gone Or just leave it and hope our bookie friend or fiend does not get attacked. Although I have EDB I dont know if the username password thing is the same please someone enlighten me. Rita |
Wed, Dec 8 2010 2:24 PM | Permanent Link |
Roy Lambert NLH Associates Team Elevate | Rita
Just remember - all you have to be is on the right side of the cost benefit equation. If its going to cost them more than they're going to get from it they won't go on. I use two or three levels of obfustication. Not bullet proof but it makes it difficult. Roy Lambert |
Wed, Dec 8 2010 3:47 PM | Permanent Link |
Rita Tipton | I use two or three levels of obfustication. Not bullet proof but it makes it difficult. Yea but No but ;-( Grrrrrr the problem is Roy suppose you download an app from your bookie say one of the big guys like Ladbrokes. Then you discover its using DBIsam and you can see the remote tables, would you be tempted to take a peek ? I would most would but would I alter my balance I doubt it. If however some compulsive gambler has hit rock bottom and maxed out his cards then they would. So I guess I should do as Tim suggests and fiddle with the engine. Rita |
Thu, Dec 9 2010 3:45 AM | Permanent Link |
Roy Lambert NLH Associates Team Elevate | Rita
>Grrrrrr the problem is Roy suppose you download an app from your bookie >say one of the big guys like Ladbrokes. >Then you discover its using DBIsam and you can see the remote tables, >would you be tempted to take a peek ? >I would most would but would I alter my balance I doubt it. If however >some compulsive gambler has hit rock bottom and maxed out his cards >then they would. >So I guess I should do as Tim suggests and fiddle with the engine. >Rita Unfortunately even that means bedding a password in there somewhere. Create your tables with a randomly created password and engine signature. Do not build them into your app in any way then no-one can get at the data Roy Lambert [Team Elevate] |
Page 1 of 2 | Next Page » | |
Jump to Page: 1 2 |
This web page was last updated on Wednesday, April 17, 2024 at 08:53 AM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |