Devart Forums

Discussion forums for open issues and questions concerning database tools, data access components and developer tools from Devart
https://forums.devart.com/

Security Question

https://forums.devart.com/viewtopic.php?f=6&t=16661

Page 1 of 1

Security Question

Posted: Tue 15 Dec 2009 16:41
by hmelihkara
Hi All,
We have some critical applications that has direct access to our databases over vpn by sql server authentication. Protecting the username and password from the user is easy with some tricks in non-running executables, but if executable is running than what? I try some test to find out username, password information in memory. I use winhex to search through the memory and boom. The username and password is clearly readable. I try to burn the username and password from the memory by overwriting some random data after MSSQLConnection connected, but this time; at my first query i take sql server authentication error. Is there any way or mode that sql server authenticates the connection one time for application / user / computer than does not need any username password information so i can burn it in memory?
Or is there any way that i can protect my databases while applications are running out of corporation?

Thanks for your helps...

Posted: Wed 16 Dec 2009 14:51
by Dimon
Try to execute the TMSConnection.Connect method when you start working with database.

Posted: Sun 20 Dec 2009 18:02
by hmelihkara
Dimon wrote:Try to execute the TMSConnection.Connect method when you start working with database.
I try to use BeforConnect and AfterConnect,
with sql server authentication method beforeconnect and afterconnect events fired on every query.
I decrypt the password in BeforeConnect and assign to password
...
After Connected the AfterConnect event fired and i burn the password here.

Here is a simple test code

Code: Select all

procedure TDataBase.MSSQLAfterConnect(Sender: TObject);
begin
  Randomize; 
  MSSQL.Password := inttostr(Random(1000000000));
end;

procedure TDataBase.MSSQLBeforeConnect(Sender: TObject);
begin
  MSSQL.Password := '12345';
end;
Think that we decrypt the password in BeforeConnect then assign.
But when the program runs.

I get:

Code: Select all

First chance exception at $7607E124. Exception class EAssertionFailed with message 'Assertion failure (D:\Projects\Delphi\Dac\SqlServer\Source\OLEDBAccess.pas, line 2344)'
AND...

If I wrote this code in MSConnection's AfterConnect: the MSConnection.Connected property never gets true value even if it is connected...

Thanks for your helps...

Posted: Tue 22 Dec 2009 10:23
by Dimon
The problem is that on changing password connection disconnects. Therefore in the AfterConnect event handler you get disconnected connection.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/