|Preventing User Access
From Other Tools
|When users have other products on their machines that allow them to
connect to a database, a tool like Access for example, they have the ability to connect to
your Application Database. If the user knows their ID and password, which they do when
they login via your application logon screen then there is nothing stopping them from
connecting via Access and bypassing all your lovely business rules in your PowerBuilder
client and hacking the data.
The simplest way to stop this is to encrypt the users password. It does not have to be
anything complicated, but it should be more than just reversing the password for example.
Take a look at the encryption routines on the software page.
When the user logs on you should attempt to logon the user with their ID and the encrypted
version of their password. If this fails, try their password in plain text. If you get a
connection then encrypt the password. This way you can secure the user accounts in place
and re-encrypt when the users password is reset.
If you want to take the security a little further you can also hide the encryption
algorithm from your fellow developers by writing the encryption routine as a C++ DLL and
make an external function call.