如何保护python中的mysqldb连接?
[英]How to protect mysqldb connection in python?
问题描述
I'm creating a pygtk app that needs a mysql connection from a remote db. 
我正在创建一个需要从远程数据库进行mysql连接的pygtk应用程序。
db = MySQLdb.connect("remotehost","username","password","databse", charset='utf8')
App is almost completed and going to be published. 应用即将完成,即将发布。 But the problem is, if anyone decompile this script they can easily read the above credentials and then there is a security issue. 但是问题是,如果有人反编译此脚本,他们可以轻松读取上述凭据,那么就会出现安全问题。 So how do I can protect this code or is there any way I can strongly compile this file? 那么如何保护该代码,或者有什么方法可以强烈地编译该文件?
5 个解决方案
解决方案1
3 2014-07-29 12:23:20
Database connections are generally made from trusted computers inside a trusted network, for a variety of reasons: 数据库连接通常是由受信任网络内部的受信任计算机建立的,其原因有多种:
- As you've seen, the client needs to store access credentials to the DB. 如您所见,客户端需要将访问凭据存储到数据库。
- Most of the time, such connections are made with no transport security (unencrypted), so any eavesdropper can observe and mangle requests/responses. 大多数情况下,此类连接是在没有传输安全性(未加密)的情况下进行的,因此任何窃听者都可以观察和处理请求/响应。
- Latency in the path to the DB is usually a issue, so you want to minimize it, thus placing the client near to the DB 数据库路径中的延迟通常是一个问题,因此您希望将其最小化,从而使客户端靠近数据库
Violating this common practice means you'll have to deal with these problems. 违反此常规做法意味着您必须处理这些问题。
It's very common to have a intermediary service using some other protocol (for example, HTTP/REST) to exposes an API that indirectly modifies the database. 具有使用其他协议(例如HTTP / REST)的中间服务来公开间接修改数据库的API是非常常见的。 You keep the service on a host in your trusted computing base , and only that one host accesses the DB. 您可以将服务保留在可信任计算库中的主机上,并且只有一台主机可以访问数据库。 In this architecture, you can (and should) perform authentication and mandatory access control in the intermediary service. 在这种体系结构中,您可以(并且应该)在中间服务中执行身份验证和强制访问控制 。 In turn, having different credentials for each client that accesses that service will help keep things secure. 反过来,为访问该服务的每个客户端使用不同的凭据将有助于确保事情的安全。
If you can't rewrite your application at this point, you should follow patriciasz's suggestion on keeping the least priviledge possible . 如果此时不能重写您的应用程序,则应遵循patriciasz的建议,以保持尽可能少的特权 。 You may also be interested in techniques to make it harder (but not impossible) to obtain the credentials 您可能还对使获取证书更困难(但并非不可能)的技术感兴趣
解决方案2
2 2014-07-29 11:30:12
There is no way to protect your code (compiled or not) from the owner of the machine it runs on. 无法保护运行它的计算机的所有者(无论是否编译)您的代码。
In this case he will effectively have the same access restrictions your application's SQL user has. 在这种情况下,他将有效地具有与应用程序的SQL用户相同的访问限制。
解决方案3
1 2014-07-29 11:37:05
There is no good way to protect your code, but you can use read_default_file options while using connect . 没有很好的方法来保护您的代码,但是可以在使用connect使用read_default_file选项。 The connection arguments will then be read form the file, specified with read_default_file . 然后将从文件中读取连接参数,该文件由read_default_file指定。 NOTE: This in no way is securing your username, password since anyone having access to the cnf file can get the information. 注意:这绝对不能确保您的用户名和密码的安全,因为有权访问cnf文件的任何人都可以获取信息。
解决方案4
0 2014-07-29 13:41:24
Build an interface between the database and the application. 在数据库和应用程序之间建立接口。 Only the interface will get true database access. 只有该接口才能获得真正的数据库访问权限。
Give the app credentials to access the interface, and only the interface, then let the interface interact with the data base. 为应用提供凭据以访问该界面(仅该界面),然后让该界面与数据库进行交互。 This adds a second layer to boost security and helps to protect database integrity. 这增加了第二层以提高安全性并有助于保护数据库完整性。
In the future develop with separate logic from the start. 在未来,从一开始就以不同的逻辑发展。 The app does not need to accesses the data base. 该应用程序无需访问数据库。 Instead, it needs data from the database. 相反,它需要来自数据库的数据。
Also as a rule of database security avoid putting credentials on the client side. 另外,作为数据库安全性的规则,请避免将凭据放在客户端。 If you have n apps then n apps can access your data base, and controlling access points is a big part of database logic. 如果您有n个应用程序,则n个应用程序可以访问您的数据库,并且控制访问点是数据库逻辑的重要组成部分。
解决方案5
0 2017-04-30 19:16:52
分开程序逻辑是真正的交易,凭据不必像芯片上所说的那样驻留在客户端计算机上
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.