 my I know your opinion about application user ? [message #383364] |
Wed, 28 January 2009 09:03  |
khosravi
Messages: 68
Registered: April 2006
|
Member |
|
|
Hello to all
Some application programmers and designers for their system security deal such as this :
they create a table in database for recording user name an password of users and their application always connect to database by a fixed database user (this the user that created in database ordinary with high privilege and it's username and password in time of connecting provide by application no by operator)
When operators want use application , the application show operator a Login form and get the username and password then application connect to the database by that fixed database user and search the username and password in that table if exists then allow operator use application
But I always say that this manner cause security weakness and eliminate many performance and security controls of database , you can create Roles and users in database and pay them necessary privileges and applications while connecting database get from operators their database username and passwords for connection and dont use fixed user
In your idea useing fixed user (application user) in big and important systems such as bank systems , military systems and ...
is rational ? is it acceptable ? am i right?
please say to me your opinion by reason
thanks so much
|
|
|
|
|
|
| Re: my I know your opinion about application user ? [message #383377 is a reply to message #383375] |
Wed, 28 January 2009 10:33  |
Fayyaz
Messages: 7
Registered: April 2005
|
Junior Member |
|
|
I think using application username is good instead of a separate database user for each application user. Because, you can have only access to application and not to database. If you have any database tool, you can't login to database and harm it. you can only login to application and based on your application role, you can do some sort of work.
You can secure more as sugegsted by Michel
|
|
|
|
| Re: my I know your opinion about application user ? [message #383508 is a reply to message #383377] |
Thu, 29 January 2009 00:50 |
khosravi
Messages: 68
Registered: April 2006
|
Member |
|
|
Fayyaz , it may that every person that use an application
don't has same privileges and assign one database user for application and setting it in source code can increase risk
if someone find it then can damage database
and you wore that "If you have any database tool, you can't login to database and harm it"
I say that if we define for every user or role it's privileges carefully in database what differ that user use an ordinary application or database tool ?
|
|
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
