I'm currently developing a new project in Grails and right now all the information concerning datasources is within DataSource.groovy. I have also got some code in BootStrap.groovy in order to initialize the database in case of the first start in order to fill some tables with constant values.
Now I'm wondering how I could realize some kind of an "installer". I'm thinking of a customer who uses the .war of my software and needs to configure the database parameters (URL, user, password) before the first start.
I was thinking about setting up a dummy database and later let him change the URL, user and password via a webpage as part of my software. But what will then happen with my BootStrap-code in order to initialize the new database? Or is there a possibility of let the user set the necessary parameters before the BootStrap-code is executed and create the new database as well? Would that be possible to realize within grails or would I have to place some php-code up front?
I'm thinking of using grails, mysql in connection with database-migration plugin.
I would be grateful for any advice on this behalf. Thank you in advance!
If something is unclear, please tell me so.
I highly recommend you consider using an external configuration file that will allow your customers to not only configure the data source(s) but any other aspects of your application when they deploy it.
The Grails documentation has detailed information about how this is accomplished.
Related
I'm having a problem with my re-frame application. I can't figure out how to connect it to a local database on my machine.
In other applications I've written, I've had to add the database specifications (username, password etc) into profiles.clj. Should I create profiles.clj and add the location of my database there? And does this mean I have to update the project.clj as well?
Finally, do the queries to the database, such as GET and POST requests, go in db.cljs.
I apologise if these questions are trivial but after reading the documentation several times I am still a little confused
re-frame is a framework for building client-side web applications. You won't be able to do generic database queries as most databases don't support direct access from a browser.
I'm having a problem with my re-frame application. I can't figure out how to connect it to a local database on my machine.
You probably need to create a middle API tier that accepts REST requests from re-frame, and queries the database, returning JSON back to the client.
Finally, do the queries to the database, such as GET and POST requests, go in db.cljs
Those are probably queries to your API tier? They can live anywhere that you would like.
One thing to clarify: re-frame has an app-db that it uses and refers to. This is a client-side database of local state that lives in your application. It doesn't have a connection to the backend, at least not without you writing more code for it. It sounds like you might be confusing these?
I am working on an app in visual c++ which requires data to be accessed from a database which can be edited so that every time there is a modification to the data I do not have to resend the app as it will automatically update, it is also required that this is a desktop app.
I am currently using MySql however for this to run constantly I will be needing a server which for a single simple app wont really be worth purchasing, so I started thinking of alternative methods and thought to myself there must be some method of reading directly from a website or online database, am I correct in thinking this? If so could someone please explain how I would achieve this?
Also, I have purchased phpmyadmin in the past so if there is any way I could connect my visual c++ app to a database from this then that would be great.
EDIT: Note, this app relies almost entirely on the database as it is just 3 combo box's and one text field all of that values for which come from the database.
The following response is assuming that by online you mean on the web.
You cannot exactly 'connect' to an online database with C++ (or anything outside of that server hosting the database).
What I would do is create some PHP API's that you can POST to with libcurl via C++. You can both send and receive data this way.
I just realized that there is no best way to hide MySQL string connection password in my executable file, especially in JAR file. Even encrypting it in EXE would only slow down the process (although I'm not sure how much time would it take to get an encrypted password from an EXE file).
So, from my understanding, I need something in the middle that would do the add, edit, delete etc to the database. Seems like a job for REST API or maybe SOAP services.
My question is, which one should I use? Or should I use something else? I was thinking Zend Framework to create those REST APIs. Then, I would use Qt to create a desktop application to call those APIs. But if I proceed with REST, my application would be a 3 tier application. Wouldn't it be better if I just create a web application? Maybe I should just stick to desktop application call those APIs since the application is already finished and I just need to change from connecting directly to MySQL to calling those APIs to perform tasks rather than changing the whole application to a web.
Any advice would be very helpful. Thanks in advance.
UPDATE:
I'm looking for a security that would protect my MySQL password connection.
Obfuscator would only obfuscate the code, it won't hide my string database information which In my opinion can be easily found using grep after decompiling the JAR using tools like JAD.
About my application:
Using a centralized MySQL database
Thousands of user
Contains sensitive information
My client uses Linux and Windows
My server uses Linux
All access are done in LAN, no outside connection (from Internet etc)
My current solutions (comments please):
Using REST APIs (safer since MySQL password is in the server)
Using Qt with encryption to the password
It depends on what kind of security are you looking for. Is this to protect the application from the user? To protect the user's data from other users? To protect multiple users' data from one another? To protect the user's data from an attacker?
In a lot of applications there's nothing wrong with storing the database login credentials in plain text. In other cases, you might try:
encrypting a user-chosen database password using a reasonably strong algorithm, e.g. Blowfish, using a hard-coded key;
having the user provide the password and "log in" to the program each time;
storing the database password in plain-text, but encrypt the data using a hard-coded key;
same as the above, but encrypt each user's data using their own provided password;
same as 2 but store each user's data in their own database with their login info as the database credentials;
storing the data on a secure remote database that users have to log into to access via a SOAP API;
using the native filesystem permissions to protect the configuration file holding the login credentials;
same as #1 but rolling your own really elaborate key-generation system: e.g. run the machine SID or a hardware id through MD5 using a randomly-generated salt, and then using the result to encrypt the login credentials.
Remember, there's no such thing as perfect security, so whatever you settle on doesn't need to be unbreakable. It just needs to be tough enough to break to make the hassle of circumventing the security mechanism exceed the value of the data. So, for example, if the data is a list of the top scores in Minesweeper, then ROT13 would probably be enough.
Edit:
I just want to add that, even if you can't get around having to hard-code an encryption key in your application, there are obfuscators for Java, .NET, and most other popular languages/frameworks. One of the key uses of these tools is to hide sensitive hard-coded strings like encryption keys.
Edit 2:
Given the additional details about the app in question, only 1, 6 and 8 would apply in this case. And a SOAP API is more appropriate for #6 as George rightly pointed out.
I also want to mention that there are Java resource obfuscators that encrypt string literals. This is just one example.
It pretty much depends in what environment your app runs
a) db and client local
b) db and client in a local network
c) db is in the internet
my two cents:
a) I would create a single db user and wouldn't use a password but restrict acces to localhost
b) direct connect to the database is fine but I would each user have to login with his own password and grant only the permissions he needs.
c) It's a bad idea to allow mysql connections to a public server. In this case webservices would be a good solution.
Anyway if your case is b or c I would stick with a login dialog for the user.
Maybe you should have a look at this http://www.greensql.net/ tool.
It is like a firewall but for mysql/postresql
So you can deny anything and only allow queries you want to.
If you are using Java for implementing your database desktop application, I would recommend to use Java DB as the database. There is a few ways of securing it, and there are alternatives to having a password in the connection string. I would recommend to read Java DB Security - Security Features in Java DB Release 10.4
It is easy to deploy your application with Java DB, since you can have much of it embedded in the same jar file. I have used it in a Point of Sale application implemented in Java.
We need to deploy application(developed by Java) WAR file in client place which make use of MySql 5.0. But we would like to restrict the client (the application owner, not the webpage visitor) from modifying any data in the database. Is there any way to protect data. The client can make use of the application but they should not be able to change any value in database. How to do that?
Manage Role/User permissions
Create an sql user (you should already have one), which will have only SELECT permission. So it would be something like
GRANT SELECT ON db_base.* TO db_user#'localhost' IDENTIFIED BY 'db_passwd';
http://kb.mediatemple.net/questions/788/HOWTO:+GRANT+privileges+in+MySQL
http://blog.wl0.org/2010/01/managing-mysql-grants/
http://www.ntchosting.com/mysql/grant.html
Check links below for further reading
FOR MySQL
Best Practice for Designing User Roles and Permission System?
http://www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm
http://www.devshed.com/c/a/MySQL/MySQL-User-Account-Management/
Can't set permissions on MySQL user
http://www.aquafold.com/d7/docs/BD5C99E4-3B55-C812-8318-6338A9A89ED9.html
FOR SQL Server.
http://www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm
http://www.mssqlcity.com/Articles/Adm/SQL70Roles.htm
http://www.sql-server-performance.com/articles/dba/object_permission_scripts_p1.aspx
https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-10878_11-1061781.html
http://www.databasejournal.com/features/mssql/article.php/2246271/Managing-Users-Permissions-on-SQL-Server.htm
This is impossible; if you deploy the application at the client, he will have the credentials and will be able to log into the MySQL database and pretent he is the application. And thus he can make any change to the database that your application can.
The only way to solve this securely is to make a tier between the client and your MySQL database, and make sure that you control this so that it is only possible to make 'legal' changes.
Just write the code accordingly so that the user doesn't have any chance to modify the database? I.e. the code doesn't execute any INSERT or UPDATE and/or controls the access based on a login/role.
I honestly really don't forsee any problems here, or the code must be prone to SQL injection attacks.
Update: The above answer is actually irrelevant since the question is clarified. Turning into Community Wiki.
I'm building a local vm for doing web dev rather than using our on site development. I need a database locally, but I don't want to just pull down a production db and use that as it has information that, while not protected by HIPAA or anything, should not be available in the case of laptop theft. Are there any apps or recommended practices to sanitize this data so that I am able to pull down a db, clean it, and install it in my vm?
Clarification: What I'm really looking for is an app that would allow me to mark the specific columns as sensitive and whack those ones whenever I imported a new copy of the DB.
Sounds like what you need is a data generator, one that will populate your database with bogus data. Redgate has a good one, but I don't know if it will work with mysql. Maybe this will help you out?
TRUNCATE table;
or
DELETE FROM table WHERE true;
on any table that you don't want to keep the data of, and then either set dummy values for any sensitive user data, or delete all user data and just turn a few accounts into local testing accounts (user 'testadmin', password 'password', etc).
The more interesting question that you should be asking yourself is: Why does my database not already have skeleton sql migrations that I can run to create a clean database? What happens when you need to create a separate production instance on another server?