SecurityLib 1.0

by

MarVic

 

 

Custom database access

 

 

Table of contents:

Introduction.. 1

Who should read this?. 1

Two ways of implementation. 1

Creating database provider basing on TDataSet.. 1

Common issues. 1

Security. 1

Other documents: 2

 

 

Introduction

Who should read this?

This document is essential for developers, who want to access database using other components or database interface than shipped with SecurityLib package or created by third-party companies. It describes how to create your own database provider.

Two ways of implementation

If you just want SecurityLib to access database, that is not supported neither by BDE nor ODBC nor ADO, or you want to access the database more directly to improve speed, you may use classes implemented in SecurityAdm.dll file and create it's descendants. Then you only have to change the TDataSet descendants on data modules to your ones.

If you want to reimplement the whole database engine - part of SecurityLib DB Provider that takes care of all operations on data: inserting new users, checking for consistency and so on, you should derive your new data modules from base classes also defined in SecurityAdm.

Creating database provider basing on TDataSet

This is much simpler way of supporting new database systems. You have to have VCL library for accessing the database. Then, you have to create a database with needed tables and relations. You should base on the Access database, which is shipped in the package. Then there is the most important and most complicated task: you have to implement views. The examples are in Access database, so you should just port the queries to your database (sometimes you may be forced to modify some things).

Having done the database, you should create a new DB Provider. First of all, you ought to derive three data modules from classes called TSecDMod, TSecDModSmpDlg and TSecDModDlg. Then, drop on them appropriate components with exactly the same names as in examples, which will encapsulate database objects. There are problems with BCPPB editor, see in examples, how it was solved. The table components must be derived from TDataSet, as they will be used in base classes. In addition to that you have to implement helper virtual functions, like StartTransaction or DSSetParam.

It is a good thing to put descendant of TSecDMod into one file and two next to classes into another one. See examples and the DBProviderBase class.

Should you need more information or help, email us.

Common issues

Security

The problem with DB providers is that one may switch it and gain unlimited access to SecurityLib database. So, to avoid it, there is a system of keys to make sure no one did it.

As DB providers are chosen by the name written in registry key, the only thing the hacker can do is to change the path in the registry or replace the dll file. So the key has to include the name. Secondly, only the company, that developed db provider, should be able to create new one with same name. This implies that there has to be some key for the company, and a way to obtain a legal key.

You can request to assign you name along with key connected to it by email. The key is strictly confidential. If you give it away, there will be no other way than changing the name of your provider. And you loose developers' trust.

But what if a hacker loads right DBProvider file and wants to extract the DBProvider key? Nothing, he cannot do that, because he would have to generate all random keys, pass them to DB Provider, and store them. Because of very large number of possible keys, this is out of the question. But in case hacker loads DB Provider during the execution of SecurityLib, and when it asks about key, the hacker passes it to the DB Provider. Then hacker can do anything then.

So there is a special mechanism to prevent it. At the beginning SecurityLib passes encrypted address of the Handle function with DB Provider key. The DB Provider checks if it’s equal to it's own Handle function address. If it's not, it cancels execution.

You may want to check out a scheme on the next page.


 


Other documents:

“SecurityLib info”                                          Basic information and introduction.

“User’s Manual”                                             Information for users of programs based on SecurityLib.

“SecurityLib Administrator Manual”            Information for administrators.

“Interface and programming guide”              Information for programmers.

www.marvic.prv.pl/securitylib/                     SecurityLib website.

 

                

               

              MS Access, Windows are trademarks of Microsoft Corp.

              All other trademarks are owned by their respective owners and were used only in information purposes.