G'Day,
Is anyone able to provide some pointers on how I can notify my Delphi application that a particular record in my MySQL database has changed? Something along the lines of the event system from Interbase?
Ideas I have looked at:
.: Q4M :. (http://q4m.31tools.com/)
Pros: Native MySQL solution requiring no external daemons
Cons: No Win32 build exists due to it using Posix calls specific to Linux
.: MySQL Message API :. (http://messagequeue.lenoxway.net/)
Pros: Robust (using spread.org)
Cons: No Win32 binary. Additional configuration and daemon(s) of spread.org required
.: Custom User Defined Function :.
I am attempting to write a UDF that can use the Win32 API PostMessage() so send a windows message to a simple socket server.
Pros: Integrated (albeit with external DLL dependency) with MySQL. Can be customised to my needs
Cons: I cannot get it to work (See post MySQL User Defined Function to send a windows message). This may be because MySQL is running as a service
Any pointers, ideas etc. greatly appreciated.
--D
As an option you may consider to use a middle-tier solution like a RemObject DataAbstract or kbmMW. AFAIK, they allow to track the changes on the middle layer and provide mechanisms to notify clients about that.
I ended up implementing this as follows:
Created Windows app that listened on a TCP port as well as a Windows Pipe
Created a mySQL User Defined Function (UDF) that would connect to the above Windows Pipe and send some information
Added triggers to the tables in the database to invoke the UDF with information about which table, what operation (insert, deleted, update), primary key values
TCP clients can now connect to the Windows app to receive the information passed on from the UDF
The TCP clients can then refresh as needed using the information retrieved
Works well and is light weight bandwidth wise (as clients only refresh what they need). Also keeping the TCP Server on the same machine as the database and using a Windows Pipe means the pipe can be kept open, and by writing to the pipe there is no TCP stack overhead. Means the load on mySQL and the time taken to execute the UDF is very minor.
Related
I'm trying to solve the problem described by CWE-798, specifically how to allow my application to authenticate to a database securely. I would like to set a mysql password within mysqld and push that information out to a PHP application server. This entails communicating the new password from mysqld to PHP before a PHP instance attempts to connect to the mysqld.
(I did read through the suggested approaches on mitre.org and have some knowledge of privileged access management - however NONE of the recommendations actually solve the problem).
Unless this is initiated within the mysqld e.g. using its event scheduler, then I need to maintain some sort of script outside MySQL which will need credentials to connect - thus defeating the objective.
My problem is that I don't know how to get MySQL to initiate a client connection to the application to inject the new password; it does not appear to provide a standard function for invoking a URL nor for executing a program.
Is my only option to implement a UDF?
The vulnerability you're describing seems to primarily relate to applications that are in the hands of users that can freely inspect what they've been given, such as might be the case in a desktop application or a mobile app. If you have credentials in there you must take great pains to encrypt them, and then prevent that encryption from being cracked by protecting your key, but seeing as how all of this has to happen on the user's hardware you're fighting a battle you may never win.
This is how the DVD encryption was cracked, the private key for decrypting DVD data was stored in a desktop application and eventually uncovered.
Server-side code has different concerns. Here you want to avoid hard-coding credentials into your application not because you're concerned about hostile users per-se, though that can be an issue, but because you do not ever want your credentials to end up in a version control system.
One way to ensure this never happens is to have the credentials stored in a file external to your application, like a config file that the application can reference. Most frameworks have some kind of configuration file (.yml, .ini, .xml) that define how they connect to the database. This file should be stored on the server and only on the server, not on developer workstations, not in your version control, and especially not somewhere shared.
You can go down the road of using something like Zookeeper to manage your configuration files but the investment of time required makes this a futile exercise unless you're managing hundreds of servers.
So the short answer here is: Don't put your credentials in your code, or store it with your code. Put it in a config file that's kept on the server and the server alone.
I'm writing an application which delivers data from remote devices over an HTTP API. These devices are on a mobile data connection and have limited resources.
I wish to receive custom monitoring data over the HTTP API, relying on the security model designed in the application, and push that data to Zabbix directly (or indirectly) from node.js. I do not wish to use Zabbix Agent on the remote devices.
I see that I can use zabbix_sender to send data to a Zabbix server containing a pre-configured host. This works great. I intend to deliver monitoring data over my custom API, and when received give this data to zabbix_sender inside the server network.
The problem is there are many devices in the field and more are being added all the time.
TL;DR:
When zabbix_sender provides a custom hostname which doesn't exist in Zabbix already, it fails.
I would like to auto-add discovered hosts, based upon new hostnames from zabbix_sender. How would I do this?
Also, extra respect if anyone can give examples of how to avoid zabbix_sender and send data directly from node.js to the Zabbix server. I mean: suggest an NPM package that you have experience using. (Update: Found working node.js package here: https://www.npmjs.com/package/node-zabbix-sender)
Zabbix configuration: I'm learning from Zabbix 2.4 installed in Docker, no custom configuration from this Dockerhub: https://hub.docker.com/r/zabbix/zabbix-2.4/
Probably the best would be to use the Zabbix API to create hosts directly.
Alternatively, you could set up an action and emulate active agent connection, which would make Zabbix create the host via the active agent auto-regstration.
You could also use low level discovery (LLD) to send in JSON, which would result in hosts/items being created, based on prototypes.
In all of these cases you have to wait for one minute (by default) for the hosts to appear in the Zabbix cache, then you can send the data.
Also note that Zabbix 2.4 is not supported anymore, it will receive no fixes - it is not a "long-term support" release.
on a Windows local network I have a MySql database, several client applications (that only query the database) and one Windows NT service that fills the database on a regular basis.
I am looking for the best way to store database credentials such that all applications can access the database.
For the client applications (that are run by normal users) I store the credentials in the Windows credential manager, that as far as I understand is only visible to the specific user.
My question is:
Where do I best store the MySql credentials such that the Windows service can access the database?
thanks in advance,
Nicolas
The LsaStorePrivateData and LsaRetrievePrivateData functions are a reasonably straightforward method of storing and retrieving a secret. Data stored in this way can only be retrieved by someone with administrative access to the machine. This doesn't provide 100% protection, but (assuming there are no bugs and that the cryptographic algorithm has not been broken) the protection is as good as is logically possible if the secret has to be retrieved by a system service without manual intervention.
There is no built-in GUI for LsaStorePrivateData. You will need to write some code that uses this function to save the MySql credentials. (This code could, however, be located in the same executable as the system service, and accessed via a command-line option.)
The service runs as a user also, so why can't you use the same approach for it? That assumes that the service runs as its own user, or some other secure account.
I am practicing writing an app which use MySQL to manipulating data.
My concern is if my client machine doesn't have have MySQL pre-installed, it's not be able to run my app, is it?. So is there anyway to embed the database server right into the app, or to run the app without the data server. I wonder how all the softwares out there manipulates data. It's not like we need to install some kind of database server before install the app.
MySQL is a client/server database engine, which means that you must install the client and server separately from each, and they communicate over some kind of network protocol.
If you want to deploy a stand-alone application, you are probably better off using a library like SQLite, which gives you as much of the functionality of a SQL database as you are likely to need in such an app, but instead operates on local files and doesn't require installation of a separate server.
You can embed MySQL in your application, see MySQL as an Embedded Database for details.
Your application could work with the remote database, when configuring database connection you should set your DB server IP address(host), port and login credentials. so in order to write application which is dealing with data manipulation, you need to connect to any database instant.
If you are working on client-server application, MySQL database may be accessed either by means of MySQL (this solution may be suitable for internal networks), or through some database-side service, which can provide some API and which can be accessed from client via some application-level protocol (for example, XML-RPC).
If you are working on client application, there are other database solution, which can be used in stand-alone software: SQLite, Derby. As an alternative to database approach, you may consider storing data in XML / YAML format.
I suggest to wrap db layer in you application witch simple interface provided for all operations performed on the database. In this way, you will not have to go into the details of the atomic operations on the database and through unified interface, you can create several different classes which will be responsible for access to different databases in the same way (the same interface). These classes should realize the interface and implement all necessary methods inside (for example ADO). Now your db layer can be visible in all program it the same way. Wrapped class can realize singleton desing pattern and can be used as one instance enywhere in your application. Universal class design (interface) gives you many benefits such as the possibility of substitution on another layer if necessary (switch to a totally different db).
Currently the major means of connecting Flash AS2/AS3 to a MySQL database are:
Flash > PHP > MySQL -- "secure code" in PHP Scripts
Flash Asql or Assql > MySQL -- "secure code" in MySQL Stored Procedures
The second approach is newer, but directly connects to a MySQL DB using binary sockets and ByteArrays.
In which case would the "secure code" be less accessible and therefore more secure?
I'm assuming stored procedures cannot be accessed via FTP so that might be harder to break into?
Stored procedures can only be accessed by someone with the correct database credentials so they will be secure assuming no one cracks your Data Base password. You know it might actually be that the PHP code is more secure as you can hold the Data Base password on the server instead of in the host app.
I suppose you can always decompile flash and try to locate the password in the host app because with asql the password will be stored in the host app, instead of on the server hidden behind PHP
I'm not sure asql would work for users behind the proxy, so I wouldn't use it for website. Approach with PHP in the middle seems to be better and you can (and should) model api for your application that is different from your DB structure.
It appears that both assql and binary sockets are synchronous links that use a socket connection to the database. Which might be great for an AIR application, but for a browser app might be highly problematical. Is this for sure what you want? Your question about access through stored procedures gives me the idea you aren't too sure about this stuff.
In fact, using PHP properly will likely be easier for building a solid abstraction and security indirection barrier between your app (and its host) and the database.
EDIT:
Web clients and servers use the http protocol to communicate. This is called a "stateless" and "connectionless" (which is only kinda true) protocol because the connection between the two only lasts as long as it takes for the client to request everything and the server to send back everything. The obvious benefit is that the server only knows about each client for a very brief period of time.
A socket (in the sense these two protocols use one) is a permanently established connection between the client and server that persists until one end or the other closes it (connection-based); and both sides know the state of the connection (open or closed). So they tie up a lot of host resources per client for a long time, and things get wacky when the connection breaks. Big difference, and it can't be run through the ports supporting web pages - another port needs to be provided (sometimes two) on the host and the client to support the socket.