在应用程序中隐藏MySQL凭据 [英] Hiding MySQL Credentials in Application
问题描述
我需要为公司创建应用程序,他们希望有人登录到应用程序,以具有不同的权限来执行不同的任务。
I need to create an application for a company and they would like to have people login to the application to have different permissions to perform different tasks.
我的初步想法是创建MySQL数据库,将凭据硬编码到应用程序中,并将应用程序连接到MySQL数据库。 MySQL数据库然后将有一个名为users的表,它将存储用户名,密码和权限。然后应用程序将查询服务器并执行身份验证。
My initial idea was to create a MySQL database, hardcode the credentials into the application and have the application connect to the MySQL database. The MySQL database would then have a table called "users" which would store usernames, passwords and permissions. The application would then query the server and perform the authentication.
最大的问题是将MySQL凭据硬编码到应用程序中。如果应用程序进入错误的手中,他们可以对MySQL数据库进行大量的损害,如果他们探索以找到凭据并开始删除表。
The biggest problem with this is having the MySQL credentials hard coded into the application. If the application gets into the wrong hands, they could do lots of damage to the MySQL database if they snoop around to find the credentials and start dropping tables.
开发一个充当MySQL数据库接口的服务器。例如,客户端应用程序将通过TCP连接到服务器,并且服务器连接到MySQL数据库。这样MySQL的凭据永远不会暴露给最终用户。然而,这意味着我必须开发一个服务器应用程序,a)将更难于为我的客户维护和部署(而不是只设置一个MySQL服务器)和b)有潜力引入更多的错误,因为我有一个额外的系统我需要做(它涉及回到点a,用于部署错误修复等)
So I thought of developing a server that acts as an interface for the MySQL Database. For example, the client application would connect to the Server via TCP, and the server connects to a MySQL database. That way the MySQL credentials are never exposed to end-users. However, this means I have to develop a server application which a) will be harder to maintain and deploy for my customer (as opposed to just setting up a MySQL Server) and b)Has potential to introduce more bugs since I have an additional system I need to make (which relates back to point a for deploying bug fixes, etc)
所以我想,而不是在数据库中有一个用户表,应用程序使用硬编码凭证直接连接到MySQL服务器,最终用户将获得实际的MySQL用户凭据,并在其中输入到应用程序中以连接到MySQL服务器。这意味着如果有人得到他们的手上的应用程序,他们不能做任何损坏的MySQL数据库,但仍然有最终用户给他们的凭据错误的人的风险。
So I was thinking instead of having a table of users in the database and having the application connect directly to the MySQL server with hardcoded credentials, the end-user would be given actual MySQL user credentials in which they would enter into the application to connect to the MySQL server. This means if someone gets their hands on the application, they can't do any damage to the MySQL database, but there still remains the risk of an end-user giving their credentials to the wrong person.
将桌面应用程序连接到MySQL数据库的最佳方法是什么?除了我想到的3以外,还有其他解决方案,或者你对我的解决方案有任何想法吗?
What are the best ways to have a desktop application connect to a MySQL database? Are there any other solutions other than the 3 I have thought of, or do you have any thoughts on my solutions?
推荐答案
@Perception注意。你最好在这里是在MySQL前面实现一个web服务。您不希望来自未知IP地址的未知IP地址的客户端数量都能访问您的数据库。
As @Perception noted. Your best bet here is to implement a web service in front of MySQL. You don't want unknown numbers of clients from unknown IP addresses all having access to your database.
通过绑定MySQL连接,DOS攻击真的很容易。更不用说,您会非常严重地限制您扩展后端服务的能力,以满足增加的客户群的需求,而无需在两者之间建立Web服务。
It would be really easy to DOS attack you by tying up MySQL connections. Not to mention that you would very severely limit your ability to scale your backend service to meet the demands of an increased client base without having a web service in between.
网络服务还可以让您以多种方式(用户/传递组合,基于令牌的访问,OAuth访问等)控制用户身份验证和授权。
The web service could also offer you the ability to control user authentication and authorization in any number of ways (user/pass combination, token-based access, OAuth access, etc.).
这篇关于在应用程序中隐藏MySQL凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
