Security Question

Discussion of open issues, suggestions and bugs regarding SDAC (SQL Server Data Access Components) for Delphi, C++Builder, Lazarus (and FPC)
Post Reply
hmelihkara
Posts: 21
Joined: Fri 09 Nov 2007 23:29

Security Question

Post by hmelihkara » Tue 15 Dec 2009 16:41

Hi All,
We have some critical applications that has direct access to our databases over vpn by sql server authentication. Protecting the username and password from the user is easy with some tricks in non-running executables, but if executable is running than what? I try some test to find out username, password information in memory. I use winhex to search through the memory and boom. The username and password is clearly readable. I try to burn the username and password from the memory by overwriting some random data after MSSQLConnection connected, but this time; at my first query i take sql server authentication error. Is there any way or mode that sql server authenticates the connection one time for application / user / computer than does not need any username password information so i can burn it in memory?
Or is there any way that i can protect my databases while applications are running out of corporation?

Thanks for your helps...

Dimon
Devart Team
Posts: 2885
Joined: Mon 05 Mar 2007 16:32

Post by Dimon » Wed 16 Dec 2009 14:51

Try to execute the TMSConnection.Connect method when you start working with database.

hmelihkara
Posts: 21
Joined: Fri 09 Nov 2007 23:29

Post by hmelihkara » Sun 20 Dec 2009 18:02

Dimon wrote:Try to execute the TMSConnection.Connect method when you start working with database.
I try to use BeforConnect and AfterConnect,
with sql server authentication method beforeconnect and afterconnect events fired on every query.
I decrypt the password in BeforeConnect and assign to password
...
After Connected the AfterConnect event fired and i burn the password here.

Here is a simple test code

Code: Select all

procedure TDataBase.MSSQLAfterConnect(Sender: TObject);
begin
  Randomize; 
  MSSQL.Password := inttostr(Random(1000000000));
end;

procedure TDataBase.MSSQLBeforeConnect(Sender: TObject);
begin
  MSSQL.Password := '12345';
end;
Think that we decrypt the password in BeforeConnect then assign.
But when the program runs.

I get:

Code: Select all

First chance exception at $7607E124. Exception class EAssertionFailed with message 'Assertion failure (D:\Projects\Delphi\Dac\SqlServer\Source\OLEDBAccess.pas, line 2344)'
AND...

If I wrote this code in MSConnection's AfterConnect: the MSConnection.Connected property never gets true value even if it is connected...

Thanks for your helps...

Dimon
Devart Team
Posts: 2885
Joined: Mon 05 Mar 2007 16:32

Post by Dimon » Tue 22 Dec 2009 10:23

The problem is that on changing password connection disconnects. Therefore in the AfterConnect event handler you get disconnected connection.

Post Reply