Paul Lambert wrote:
Andrus wrote:Run the application on a machine you control. Then the application can authenticate without the users being able to steal or piggyback on its credentials.Thank you for reply. My application is GUI applicatio which must run in customer computer andaccesses to 5432 port in remote PostgreSQL server located in customer side over internet.I cannot control customer computers. Andrus. ---------------------------(end of broadcast)--------------------------- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not matchIf the users have access to the database via having a username/password then it seems to me that they could use basically anything to connect via ODBC to the database and retrive/look at/update data. M$ Excel, Acces, reporting things like crystal reports etc and of course pgAdmin.If you hide the database username and password within your application (i.e. encrypted within the source code) so they cannot see the credentials that you connect to the database with internally then they have no means by which to connect to it using any other programs.What I gather is users in your case are set up as database users rather then having a users table on which your application authenticates. The downside of doing it the way you are doing it is always going to be that any user with a database username and password can connect to the database by any means they come by. I'm no Postgres expert, but I'm sure like any other RDBMS, postgres does not know, nor care, what application is doing the connection but rather just accepts an ODBC connection and the credentials that are passed to it.Regards, Paul.
