tags:

views:

76

answers:

1
Q: 

Securely connecting to database within a application

I have never developed an application outside my companies system where we just rely on windows authentication from our domain, but I want to learn how to develop a secure application that I can connect to a remote database.

I know it is easier if I use ASP .Net because the data connections will be on server side, but I want to have a WPF application as well for administrative tasks.

Here is what i can think of for securely connecting to a database:

First have a SSL connection to the database always, have a default user/pass that is clear text in the config file of the program where it's only access is to a login procedure on the database where the user puts in there database credentials and the default user/pass will be connected to the db and pass the credentials that the user presented.

The procedure will then pass back a pair of credentials user/pass that the application will use for the remainder of the user logged in session. Is this a good way of approaching the issue? and also should I consider using a web service of WCF as the interface instead of direct connection?

+1  A: 

Why that complex? Just let the user enter the database user name and password and then try to connect to the server using a SSL conection. The server already has a full featured user management system, so there is no need to create a new one if you only need access for a few people.

Daniel Brückner  2009-04-27 15:10:19
Amen -- programmers are always trying to rebuild user management while connecting to the DB with "default user/pass"... I suspect that's because DBAs are slow or grumpy to add users to the DB...!-)
Alex Martelli  2009-04-27 18:16:10
no i am the only developer and DBA for this project. But i am probably going to do it that way in the end but i am considering it the other because i don't want users to log into the sql server directly. havet them only allowed to use the application to access the data.
greektreat  2009-04-30 17:31:39

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security