G
Guest
Hi. I am developing a Windows application that will connect to SQL Server and I had a few deployment questions.
First, on my server, I only have access to a single SQL Server login account. So, I need to use that account in my Windows application to talk with SQL Server. This application can have many users, each with their own security permissions, so I will control their rights and access through security tables that I will create. However, of course I still need to connect to the Sql Server - so how do I make my application secure? The application needs to have the master password and login account to access the database, but I obviously only want to allow access to the information that is relevant to that person, not all information in the database. How can I stop a malicious person from finding the password (maybe by looking through the compiled code or watching through some kind of network sniffer) and using it to connect to the database and gain access to all data through some other means (even using Enterprise manager or something)
On a related note, this application will have an accompaning ASP.NET web site that will also have access to the data. How can I stop a person from appending onto a url or using some other spoofing method such as guessing user ids to gain access to other people's information. I know to make this harder I can use guids but it seems like making every table's primary key a guid is a cumbersome solution
Finally, has anyone used those obfusicating programs? Do they really work or do they just make the offender go and by their own decomplier or something that will reverse the process or at least give them access to information such as a password? If they are worthwhile, which one would you recommend
Thanks for any help
Gre
First, on my server, I only have access to a single SQL Server login account. So, I need to use that account in my Windows application to talk with SQL Server. This application can have many users, each with their own security permissions, so I will control their rights and access through security tables that I will create. However, of course I still need to connect to the Sql Server - so how do I make my application secure? The application needs to have the master password and login account to access the database, but I obviously only want to allow access to the information that is relevant to that person, not all information in the database. How can I stop a malicious person from finding the password (maybe by looking through the compiled code or watching through some kind of network sniffer) and using it to connect to the database and gain access to all data through some other means (even using Enterprise manager or something)
On a related note, this application will have an accompaning ASP.NET web site that will also have access to the data. How can I stop a person from appending onto a url or using some other spoofing method such as guessing user ids to gain access to other people's information. I know to make this harder I can use guids but it seems like making every table's primary key a guid is a cumbersome solution
Finally, has anyone used those obfusicating programs? Do they really work or do they just make the offender go and by their own decomplier or something that will reverse the process or at least give them access to information such as a password? If they are worthwhile, which one would you recommend
Thanks for any help
Gre