Answer the question
In order to leave comments, you need to log in
How to secure an Access database in Delphi?
Hello!
At me such task:
I create application on Delphi, it is necessary to make authorization and work with an Access DB.
The question arose of how to externally isolate the database, so that data could be accessed only from the application, and the application could only be entered by specifying the correct Login and Password + secret word that are entered in Access.
And one more thing, tell me how to hide the database from the user so that this database is not visible outside the application.
Thanks a lot!)
Answer the question
In order to leave comments, you need to log in
There is clearly little input in the question.
Akses is definitely not suitable for this task. Although if you build a three-tier application and encrypt all critical fields, you can suffer.
I would do this:
Place the database on another server. firebird.
In it would bring the usual user. The user would only be allowed to read certain tables, views, and perform certain procedures. In other words, I would make it so that the user could not read and write what he was not allowed to. In the same place on the server, I would launch another application whose task is to connect to the database as sysdba and read the sign with usernames and passwords of users and sit and wait for the user to connect. The second task of the server application is to accept ssl connections and decrypt them. There should also be protection against password guessing.
On the client would use ssl.
But this solution has a big problem. To protect yourself from dll injection, you need to get rid of the external ssleay.dll and fbclient.dll, you need to take their sources and inject them into the application without using the dll technique. And this is clearly not Delphi.
If the user can run the application and use it, then what prevents him from making a simple script that will parse the data from the database? Any Windows GUI application that uses the Windows API can be spoofed by an external program.
If the task is to limit the user to only his sandbox, then here you need to work on the database device, its structure and business logic. Firebird allows using only the server's capabilities to make various restrictions, including displaying records from a table selectively through a view (while blocking access to the table).
But if the database is physically accessible to the user, then encrypt it. Perhaps there are some ready-made solutions.
1) There is some kind of protection for logins and passwords in the access itself. Yes, almost in any database (or any).
If it is reliable enough, we use it, and from the outside (from the office) there will also be access only by login and password.
2) 100% reliable option: archive with a password.
This is from brute force or hacking the database itself.
But a reverse engineer can hack the application itself by learning the password or changing it. If he gets paid.
дурацкий совет, прокатит если бд маленькая,
зашифровать бд самостоятельно, запаковать в *.res, его в свою очередь воткнуть в само приложение, расшифровать в озу, и сделать вид что это файл смапленый в озу, конечно при наличии пароля выковырять бд не составит труда.
А никак, пароль на БД подбирается за пару секунд, безопасность, это жирный мину всех встраиваемых БД (Firebird Embedded, SQLite). Варианта 2 - использовать нормальный SQL (например Firebird, очнь легковесный) или делать шифрование-дешифрование на лету.
Да, вводных слишком мало, НО если морда в дельфи а база в аксессе, то сам Аллах значения шифровать, и тут уже лишь от фантазии зависит, а в базу насыпать соли... Встроенные механизмы авторизации аксесса бестолковые, но и их задействовать не будет лишним. Основная идея защиты, должна быть в повышении трудоёмкости её обхода.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question