深入人心
网络技术不断发展数据保密性要求也越来越高
在通常Server/Client方式MIS开发中由于
要和数据库服务器保持联接为了灵活和扩充性联接参数(用户ID和登录口令)又不能在中写死(其实写死也不是
种好思路方法)般思路方法无外乎有两种:其是把联接参数存放在注册表中;其 2就是直接读INI文件 而综上几种思路方法安全性都不太好
给人以可乘的机 本人找到
种思路方法可以解决数据库应用安全性问题通过INI文件和数据库巧妙处理在中提供用户种接口可以随时修改数据库联接参数而又不给外人以蛛丝马迹做到神不知鬼不觉 实现思路方法如下:
1、创建INI文件
记录数据库联接些方便分发参数DBMS、SERVERNAME、LOGID具体如下: //创建成INI文件(rsgl.ini)
[Database]
DBMS=O84 ORACLE 8.0.4
ServerName=gxmistest //数据库服务器名
LogId=rsgl //实际
数据库登录用户 然后
在数据库中创建个中间用户PUB登录口令PUB赋予PUB用户CONNECTRESOURCE权限再在其中创建表CREATE TABLE TBL_PUB_PASSSHADOW (PASSSHADOW VARCHAR2(50) NOT NULL)用于存放实际数据库联接登录口令(当然要经过加密)加密
网上多是在此就不累述我自已创建了个
串加密f_password(
old_str, 
_str,
eger jm_mode)jm_mode参数用以区分加(解)密old_str、_str两参数分别为加(解)密串 2、就开始编写应用
了在应用OPEN事件中进行数据库登录联接脚本如下: ls_in
ile,ls_starttimes ls_logid,ls_logpass,ls_dbms ls_pass,ls_sql,ls_code,ls_server //设置INI文件
ls_in
ile = 'rsgl.ini' ls_server = ProfileString (ls_in
ile, "database", "ServerName", "") ls_logid = ProfileString (ls_in
ile, "database", "LogId","") // Profile pub
SQLCA.DBMS = ProfileString (ls_in
ile, "database", "dbms", "") SQLCA.LogPass = 'pub'
SQLCA.ServerName = ls_server
SQLCA.LogId = "pub"
SQLCA.AutoCommit = False
SQLCA.DBParm = ""
connect using sqlca;
//得到用户RSGL加过密
用户口令 select passshadow
o:ls_pass from tbl_pub_passshadow; //口令解密
ls_pass = f_password(ls_pass,0)
disconnect using sqlca;
//联接到实际
数据库用户RSGL SQLCA.ServerName = ls_server
sqlca.DBMS = ProfileString (ls_in
ile, "database", "Dbms","") SQLCA.DBParm = ProfileString (ls_in
ile, "database", "Dbparm","") sqlca.database = ProfileString (ls_in
ile, "database", "database","") sqlca.userid = ProfileString (ls_in
ile, "database", "userid","") sqlca.dbpass = ProfileString (ls_in
ile, "database", "dbpass","") sqlca.logid = ls_logid
sqlca.logpass = ls_pass//ProfileString (ls_in
ile, "database", "LogPass","") SQLCA.AutoCommit = False
connect using sqlca;
sqlca.sqldbcode <> 0 then choose
sqlca.sqldbcode 1017 MessageBox (
(sqlca.SQLDBCode),"不能联接数据库~r
:无效用户名和口令.请和管理员联系!") 12154 MessageBox (
(sqlca.SQLDBCode),"不能联接数据库~r:服务器名不存在!请和系统管理员联系.") 999 MessageBox (
(sqlca.SQLDBCode),"不能联接数据库~r:数据库不支持你当前安装!") 
MessageBox (
(sqlca.SQLDBCode),"不能联接数据库~r:"+ sqlca.sqlerrtext) end choose
halt close
open(w_gd_frame) //打开应用
主窗口 end
3、接下来
就是编写个用户接口让授权用户随时修改数据库联接参数窗口界面见下图:(文件名称:dblogon.jpg),窗口上面Control控件有: Control控件名称 Control控件属性
sle_server SingleLineEdit
sle_login SingleLineEdit
sle_oldkl SingleLineEdit
sle_pass SingleLineEdit
sle_repass SingleLineEdit
cb_1 commandbutton
cb_2 commandbutton
cb_1命令按钮
clicked事件如下: ls_inile,ls_pass,ls_logid,ls_repass,ls_old ls_k,ls_user,ls_sql ls_in
ile ='rsgl.ini' transaction pub_tr
pub_tr = create transaction
pub_tr.DBMS = ProfileString (ls_in
ile, "database", "dbms", "") pub_tr.LogPass = 'pub'
pub_tr.ServerName = sle_server.text
pub_tr.LogId = "pub"
pub_tr.AutoCommit = False
pub_tr.DBParm = ""
connect using pub_tr;
ls_old = sle_oldkl.text
ls_user = lower(trim(sle_logid.text))
//得到数据库联接原用户口令
select passshadow
o :ls_k from tbl_pub_passshadow using pub_tr; ls_old <> f_password(ls_k,0) then messagebox("提示","原口令不对!")
end
//检查核对口令
ls_pass = sle_pass.text
ls_repass = sle_repass.text
ls_repass <> ls_pass then messagebox("","核对口令不对
请重新输入!") end
SetProfileString(ls_in
ile, "Database", "Servername",sle_server.text) SetProfileString(ls_in
ile, "Database", "Logid",ls_user) //修改数据库用户
联接口令 ls_sql = ' alter user '+ls_user+' ident
ied by '+ls_pass Execute Immediate :ls_sql using sqlca;
ls_pass = f_password(ls_pass,1)
UPDATE TBL_PUB_PASSSHADOW SET PASSSHADOW =:ls_pass using pub_tr ;
commit using pub_tr;
commit using sqlca;
disconnect using pub_tr;
close(parent)
cb_2命令按钮
clicked事件如下:close(parent) 4、到此万事OK
所有代码已在Win98环境下
用PowerBuilder 6.5测试通过
最新评论