Security precaution of database connection in PB application

With the popularity of the Internet and the continuous development of network technology, the confidentiality requirements of data are more and more high. In the usual server/client mode mis development, because the program to maintain the connection with the database server, for the flexibility and extensibility of the program, the join parameters (user ID and login password) can not be written in the program death (in fact, writing death is not a good way), There are two kinds of general methods: one is to store the join parameters in the registry, and the other is to read the INI file directly. And the safety of several methods are not very good, give people the opportunity. I found a way to solve the security of the database application, through the INI file and the clever processing of the database, in the program to provide a user interface, you can modify the database at any time the parameters of the connection, but not to outsiders with clues, do not know unnoticed. The implementation method is as follows: 1, create INI file, record database joins some convenient program distribution parameters DBMS, SERVERNAME, Logid specific as follows://Create the INI file (rsgl.ini) [Database] dbms=o84 ORACLE 8.0.4 servername=gxmistest//Database server name LOGID=RSGL//Actual database login user then, in the database to create an intermediary user pub, login Password pub, give pub users Connect,resource permissions, In which you create table creation table Tbl_pub_passshadow (Passshadow VARCHAR2 () not NULL) is used to hold the login password for the actual database join (encrypted, of course). The encryption function is much more on the web, and this is not a tiring statement. I have created a string encryption function F_password (string old_str,string new_str,integer jm_mode), jm_mode parameter to distinguish the addition (solution) of the function, Old_str, new_ The str two parameter is an added (solution) dense string. 2, began to write the application, in the application of the Open Event database login join, the program script is as follows: String Ls_inifile,ls_starttimes string Ls_logid,ls_logpass,ls_dbms String ls_pass,ls_sql,ls_code,ls_server//setting INI file Ls_inifile = ' Rsgl.ini ' ls_server = profilestring (Ls_inifile, " Database "," servErname "," ") Ls_logid = ProfileString (ls_inifile," database "," Logid "," ")/Profile pub SQLCA. DBMS = profilestring (ls_inifile, "database", "DBMS", "") SQLCA. Logpass = ' pub ' SQLCA. ServerName = Ls_server SQLCA. Logid = "Pub" SQLCA. autocommit = False SQLCA. Dbparm = "" Connect using Sqlca; A user password with a user RSGL encryption Passshadow into:ls_pass from Tbl_pub_passshadow; Password decryption Ls_pass = F_password (ls_pass,0) disconnect using Sqlca; Joins to the actual database user Rsgl SQLCA. ServerName = Ls_server Sqlca. DBMS = profilestring (ls_inifile, "database", "DBMS", "") SQLCA. Dbparm = profilestring (ls_inifile, "database", "Dbparm", "") Sqlca.database = ProfileString (ls_inifile, "Database", "Dat Abase "," ") Sqlca.userid = ProfileString (ls_inifile," database "," userid "," ") Sqlca.dbpass = ProfileString (Ls_inifile," Database "," Dbpass "," "") Sqlca.logid = Ls_logid Sqlca.logpass = ls_pass//profilestring (ls_inifile, "database", "Logpass" , "") SQLCA. Autocommit = False Connect using Sqlca; If Sqlca.sqldbcode <> 0 then choose CASe sqlca.sqldbcode case 1017 MessageBox (String (SQLCA. Sqldbcode), "Cannot join the database. ~r Error: Invalid username and password. Please contact your administrator! " Case 12154 MessageBox (string Sqlca. Sqldbcode), "Cannot join the database. ~r Error: Server name does not exist! Contact your system administrator. " Case 999 MessageBox (String Sqlca. Sqldbcode), "Cannot join the database. ~r Error: Database does not support your current installation! " Case Else MessageBox (string (SQLCA). Sqldbcode), "Cannot join the database. ~r Error: "+ sqlca.sqlerrtext" end Choose halt close else open (w_gd_frame)//Open the application's main window End If 3, next, is to write a user interface that allows authorized users to modify the database join at any time Parameters。 Window interface (file name: dblogon.jpg), the control above the window has: Control Name control Properties Sle_server Singlelineedit sle_login singlelineedit Sle_oldkl The Cb_1 event for the Sle_pass singlelineedit sle_repass singlelineedit CommandButton cb_2 CommandButton cb_1 command button is as follows: string clicked Inifile,ls_pass,ls_logid,ls_repass,ls_old string Ls_k,ls_user,ls_sql ls_inifile = ' Rsgl.ini ' transaction pub_tr = Create transaction pub_tr. DBMS = profilestring (ls_inifile, "database", "DBMS", "") pub_tr. Logpass = ' pub ' pub_tr. ServerName = Sle_server.text pub_tr. Logid = "Pub" pub_tr. autocommit = False pub_tr. Dbparm = "" Connect using Pub_tr; Ls_old = Sle_oldkl.text Ls_user = lower (Trim (sle_logid.text))//Get database Join original user password Select Passshadow into:ls_k from Tbl_pub_pas Sshadow using Pub_tr; If Ls_old <> F_password (ls_k,0) then MessageBox ("Prompt", "Original password not correct!") return End If//check password Ls_pass = Sle_pass.text Ls_repass = sle_repass.text if Ls_repass <> Ls_pass then MessageBox (" "," Check the password is not correct, please re-enter! ") Return End If Setprofilestring (Ls_inifile, "Database", "Servername", Sle_server.text) setprofilestring (Ls_inifile, " Database "," Logid ", Ls_user)//Modify the user's join password Ls_sql = ' alter user ' +ls_user+ ' identified by ' +ls_pass Execute Immediate:ls _sql using Sqlca; Ls_pass = F_password (ls_pass,1) UPDATE Tbl_pub_passshadow SET Passshadow =:ls_pass using Pub_tr; Commit using Pub_tr; Commit using Sqlca; Disconnect using Pub_tr; The clicked event for the close (parent) cb_2 command button is as follows: Close (parent) 4, to this everything OK. All code has been passed in the WIN98 environment with the PowerBuilder 6.5 test. Responsible Editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) The original text: the security precaution of database connection of PB applicationBack to network security home