Qt and MySQL : What about security?



  • Hi
    I am working on a Qt C++ and MySQL application (inventory system). The problem is that when I will give it to somebody the admin username and password will be part of application source code.

    @
    QSqlDatabase db = QSqlDatabase::addDatabase("QMYSQL");
    db.setHostName("host");
    db.setDatabaseName("menudb");
    db.setUserName("root");
    db.setPassword("test");
    @

    I know that is not the right way. Can somebody give me the correct way?

    Thanks



  • Hi,

    Don't hardcode such values if the app is not meant just for your own use and for simple experiments. You should let the user give these values, for example through a dialog box.

    Also, you shouldn't give access to MySQL with the root/admin account. Create users in MySQL with specific rights for the specific database.


  • Moderators

    you could implement a routine which reads an encrypted file containing the credentials.
    But anyway if you provide the source code it's easy to debug the application and get the credentials at runtime.
    So you would need to let the user enter the credentials and only distribute them to the people you intend to.



  • Hello,

    Is it possible to encrypt the credentials with QSettings?

    The app would read it from an ini file then load it to textboxes (with the password encrypted) so that it can be modified by a user?


  • Moderators

    [quote author="puterk" date="1384160415"]
    Is it possible to encrypt the credentials with QSettings?
    [/quote]
    no QSettings saves plain values. But you can save encrypted values. You could use "QCA":http://delta.affinix.com/qca/ for example for that.



  • Use QSQLITE as the database driver, in that case you don't need username and password.



  • I think you should have a look at the database end instead. First, don't give root access (if that is the superuser of the database), create separate account with as few access rights as possible and then create a database layer with rules that restricts what the client can do with the database.
    Then it really doesn't matter if you give the end user the password :)



  • Hi,

    I think you don't really need to give the end user the password or hardcode it, if you use for instance and ODBC connection as DSN system: once you have configured it, in code you just need the DSN name (the password will be provided automatically by system and is protected); may be the user name is visible in connection (i.e. ODBC administrator or registry) but without password is useless, and is better as mentioned in thread to create a user with sufficient privileges


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.