Desktop App + DB Online (Hosting)

Asked

Viewed 510 times

1

Good afternoon,

Guys, my question is the following, in my connection of a desktop application with online database:

1st question: What is the best way to stay safe the connection made with the hosting server?

Question 2: What risks will I take and what measures should I take to eliminate or reduce these risks?

Question 3: I have these concerns: Data corruption, hacking, connection crashes and data loss. What can I do to prevent this kind of problem?

My application is done in Delphi and my database is Online (Hosting Server).

database delphi security-guard

  • Usually you do not access the Database in the desktop application. The right is to access a web service, with authentication etc. It is very difficult to say which is the best technique without knowing the details of your application, but you should never expose the database directly.

  • That’s exactly what you tell my boss, but since you’re the kind of person who wants what you ask for, then at least I can try to minimize the risk of access.

1 answer

1


Well, let’s go in order.

1: How to keep communication safe: by accessing the bank directly through your application, there is no way (explanation below). How this communication would be done safely: a web service on the database server, exposing high-level calls, with authentication etc.

2: Hazards:

2.1: Your database must have user/password. This in no way means security over a network. Think about it: your app needs to keep this information. Anyone with access to the app could extract this data and compromise the database. You could limit the Ips that access the bank, but this reduces the problem slightly.

2.2: If your application accesses the database directly, an error in the application could compromise the data. Integrity shall be kept as close as possible to the database.

2.3: If your application accesses the database directly, there is nothing between the two. This means you are exposing a database that accepts any command, any instruction.

3: I honestly don’t have experience in an architecture where the desktop application directly accesses the bank. In addition to security for access, perhaps with VPN, it is essential to use stored procedures in the database to expose only full calls. Never expose the database openly.

Other advantages of an abstraction layer (web service):

  1. The service sends/receives higher-level application data, which reduces clent/server communication. The web service is on the same server as the database, and all calls and intermediate queries are located on the server. Remember: you pay for the data that goes in and out of the server...
  2. If you need to change the database, you can change the web service and keep everything running. Will it be possible to update all customer apps immediately? The web service you control, and can update, offering the same methods to customers, who neither see the change.
  3. Similar to item 1, web service-database performance is much larger than customer-database. Quick query-update cycles if held on the same server can take minutes if it goes to and from the client.
  4. If a call has the potential to change many records, do you accept that these records be sent to the client, updated and returned to the server? And if each trip takes 30 seconds?

  • Basically the most indicated way to make a connection to hosted database is via Webservice.

  • what tells me, through Cpanel configure the company IP, and through vpn connect the system to the company ip, improves a little more?

  • This reduces the security problem, but reduces the amount of data, round-trip time, and what happens if the customer loses the connection in the middle of a call?

  • I don’t know how to tell you how to secure this, so I don’t consider what I’ve left as a complete response. I tried to discourage you from doing it the way you asked, hopefully someone can tell you how to do it the way you need it the most safely.

  • In fact, I’m discouraged to do this from the beginning, I just asked the question on the forum why my boss insisted on the research, even though I said it’s not good practice and no one would do it. I pointed out the Webservice pq is the safest way I’ve found so far, I know there are others, but even so, it’s hard enough to make me ask useless questions about things I already know. Going against the principles of data security.

  • Exactly... I posted more in the sense of giving you ammunition if you want to debate this.

  • Ball show, thank you very much. D

Show 2 more comments

Browser other questions tagged database delphi security-guard

You are not signed in. Login or sign up in order to post.