Hey I've coded a Program with Login that connects to my MySql Database.
Since everyone has to Login before using it they have to connect to the Database in order to proof if the Login Details are correct.
To allow that connection I have store the Username and Password for that Database inside the Program:
datasource=myip;port=myport;username=username;password=password;database=database
I guess it wouldn't be hard at all for any hacker to find this username and password so is it possible to hide the login details somehow? I were able to crypt and decrypt it but I don't think that it would be too hard to even crack that.
How do others do it or is there a other way to connect to your database without the username and password in ur code?
As Baseult indicates in the comments, the only way to stop someone breaking into your database is not give it to them in the first place - you keep the DB on your server, and other people access it by sending calls to a web service. Doesn't have to be RESTful
I can't add comments but why not use a generic login to connect to the database and restrict it with user names/passwords/hashes for the application via a user table in your database?
Related
I have a request from a customer and I am quite sure the answer is no, but wondering if someone has a different answer.
Background
As you know MySQL installation create a database called "mysql" where it stores the databases we create and also the users.
In the user table, there is a field called "authentication_string" where the user password is saved.
Project
On this project each time a customer creates an account a new database user and database is created.
When a customer logs in through a web interface, the system calls an API to authenticate him/her. After that the root db user is used to connect to customer database, not their own database credentials, why? because they do not want to save user and password on database (this is a temp solution)
They want to change the application so after authentication/authorization process and they would somehow only needed root credentials to somehow get user and password from "mysql db" and then use them to create the connection using customer db credentials.
Is this possible? Or is there some mysql parent - children configuration where this scenario is possible?
Project uses MySQL 5.7
From what I can understand I think you could just use MySQL’s SET PASSWORD to set some random strong password for the user and then login using that. This way you would not store anything and it would still be pretty secure assuming your root db access is fairly isolated from the thing that’s trying to login as the user.
For example:
SET PASSWORD FOR some_user = <long-strong-randomly-generated-password-string>
Afterwards you return this <long-strong-randomly-generated-password-string> from your access-providing process and then the user process can login using that. In this case it would stay valid until the next SET PASSWORD, so keep that in mind, but depending on your use-case that might be ok.
I am trying to design a Springboot+ Hibernate application which will have the first page as a form which will take in the Database username and password, instead of hardcoding (spring.datasource.username/spring.datasource.password).
So I do not want to connect to the database initially on server startup, but want to do this only once the user enters the correct database username and password. Is this possible and how do I go about it? I searched a lot for this but I am only getting stuff related to SpringSecurity.
I'm having a problem with trying to stablish a database connection with an user that's not root. I mean I have defined the following user at my database.
dev#host
I try to connect the way indicated here: https://developers.google.com/appengine/docs/java/cloud-sql/, but I get a truly strange error, I've set the application to display what error is the one that doesn't allow to connect with that user and I get this:
java.sql.SQLException:Access denied for user 'dev#host'#'localhost'.
I wonder where it can get that localhost from... I've also tried to change the name of the user to dev'#'host but it keeps on the localhost issue.
If I connect with root, not inputting any user or password it connects properly, but I need the application to be connected by users with less privileges.
Any idea what I can be doing wrong?
Thanks for your help.
Check this page…you need to set up permissions…
https://developers.google.com/cloud-sql/docs/access-control?hl=pt
Are you using a mySql client? Did you manage to add an authorized IP address?
Cheers.
I have a mysql database on my pc , what should i send someone to access it :S? A connection string or a live link .Is it possible?
Thank you
This worked perfectly for me. You're essentially giving them access to a separate installation of phpmyadmin that provides them access to any of the databases on your server via their separate database login credentials
Is your computer available to others through the Internet, or does your ISP block access through port 80 (HTTP)? If the other person can access a web server on your computer that person could admin your mySQL database through phpMyAdmin?
If the other person knows how to use a terminal to perform sql-tasks I guess you could grant this person permission (see: http://dev.mysql.com/doc/refman/5.1/en/adding-users.html).
I'm making a winforms app in vb.net that connects to a mysql database on my webserver to read and write data, this all works fine.
But i have to allow the users ip to remote connect to the database.
Is it possible to give everyone access to the database? The user account will not have all rights an the data isn't very important if it got lost.
The user account and connection details are hard coded.
I know this isnt secure but that doesnt really matter.
Yes, that's very well possible. In your mysql privileges table you'll have to grant a wildcard (%) host access to the user. Then in your VB.NET code simply use the address in the connectionString.
Yes, you can GRANT permissions on the database to the same user with wildcards in the host. More information here.
You can specify wildcards in the host name. For example, user_name#'%.example.com' applies to user_name for any host in the example.com domain, and user_name#'192.168.1.%' applies to user_name for any host in the 192.168.1 class C subnet.
The simple form user_name is a synonym for user_name#'%'.
That way every application connects to the database from random hosts and uses the same username/password in the connection string to authenticate, and MySQL will allow it because the host part of the permissions isn't explicitly specified.
But i have to allow the users ip to remote connect to the database.
Why?
Two other options:
1 - Expose the data as a web service. It's already on the web server...
2 - Build a web app instead of a desktop app.