Thank you so much joe..
You have actually have been a great help...
Again thank you so much for your help,
Tom T
At 04:44 PM 9/21/2004, you wrote:
Thomas,
Because the db is lower than version 4 and doesn't support secure connections, unless the db is on the same box as the web server, then connection strings are already being passed between your web servers and the db accross the local network using clear text and those connection strings are probably more fruitfull targets for internal student hackers than yours would be. So it sounds to me like like your Net Admin is putting an impossible requirement on your application that is not required for apps using more critical data. I don't see a way that you can secure your connection string as it is sent accross the local network unless they upgrade the db to a version that supports secure connections.
Sorry I can't be of more help.
Best Regards,
Joe
Thomas Trutt <[EMAIL PROTECTED]> wrote: Hi Joe,
My understanding is, and please don't quite me on this one, is that it is a shared server.. If i'm right the server that my db will be running on also houses some large db's for our web services, here at Cornell. The data I'm holding is actually very, very low security, its tick marks, but it is also the only database being accessed by an outside client.. The program i wrote is a desktop application that the user can record tick marks for when they are asked different types of questions at the refrence and computer operators desk here in the Library. It also stores Invoice transactions but there is no CC or payment information stored or used in the actual program. I think what my Net Admins concern is that someone may get access to my user name and password and somehow gain access to the server as a whole, even though the user name and password only has INSERT, DELETE, UPDATE,, and READ, access to my DB.. But i do know that our servers are usually a nice target for hackers, ie bored computer Science majors.. :o)
Again many thanks,
Tom T
At 04:00 PM 9/21/2004, you wrote:
>Thomas,
>
>http://dev.mysql.com/doc/mysql/search.php?q=ssl&lang=en&charset=iso-8859-1
>
>It looks like SSL/SSH are only available as of MySQL 4 or higher.
>Is your Net Admin really worried about eaves dropping of packets on the
>local network. It must be very sensitive data. If you already have a MySQL
>database on your network that is lower version than 4 then how do the
>other apps connect to it securely? Or is your app the only one that needs
>this level of security and other app can transmit to the db in clear text?
>
>Joe Audette
>
>Thomas Trutt wrote:
>Thanks,
>
>Actually it is the transmission connection string he is worried
>about. I might have to go with an SSL connection and go from there.. The
>problems being that I'm not sure what software i have available to me on
>the server and what software i can add to the client machines..
>
>this might be another simple question but with SSL can i have 5-6 machines
>all connected to the same server with the same user id being used??
>Unfortunately I'm new to SSL..
>
>Many thanks,
>
>Tom T
>
>At 03:31 PM 9/21/2004, you wrote:
> >Thomas,
> >
> >Are you sure that encrypting the connection string is what your network
> >admin means?
> >
> >When I hear someone say they want the logon encrypted I would think they
> >mean store the password of a user encrypted in the db. That is, the
> >application requires the user to logon and user info is stored in the db
> >to logon against. When the user enters a username and password the
> >password is encrypted and compared to an encrypted password in the db to
> >validate the user.
> >
> >I think you can use ssl to encrypt all communication between your app and
> >the database but I don't know of a way to pass an encrypted connection
> >string and have the db decrypt it before it makes a connection. My
> >ignorance doesn't mean its not possible so maybe someone else can suggest
> >something.
> >
> >If the idea is to prevent someone from seeing your code and learning a db
> >logon I guess you could store the connection string encrypted in a config
> >file for your app then decrypt it before you connect. You'd have to use an
> >encryption that can be decrypted with a key.
> >Checkout the System.Security.Cryptography.DESCryptoServiceProvider class
> >
> >Hope that helps,
> >
> >Joe Audette
> >
> >Thomas Trutt wrote:
> >Hello all,
> >
> >Ok i know this may be a simple question but i need a little help.
> >I am writing a program in VB.net that uses MySQL as a backend. My net admin
> >wants the log on to be encrypted??
> >
> >This is currently how i am connecting:
> >
> >Public LocalSYS As New OdbcConnection("DRIVER={MySQL ODBC 3.51
> >Driver};" & _
> >"SERVER=192.168.0.1;" & _
> >"DATABASE=DB;" & _
> >"UID=User;" & _
> >"PASSWORD=Password;" & _
> >"OPTION=3;")
> >
> >As you can see its a public variable that i have declared so that i don't
> >have to continuously add it for every form in the program.. So the question
> >i have is how do i change this so that it is encrypted??? Any ideas and
> >suggestions would be greatly appreciated..
> >
> >Many thanks,
> >
> >Tom T
> >
> >[EMAIL PROTECTED]
> >http://www.joeaudette.com
> >http://www.mojoportal.com
>
>
>--
>MySQL General Mailing List
>For list archives: http://lists.mysql.com/mysql
>To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
>
>
>
>[EMAIL PROTECTED]
>http://www.joeaudette.com
>http://www.mojoportal.com
-- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
[EMAIL PROTECTED] http://www.joeaudette.com http://www.mojoportal.com
-- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
