Question Logins - What's the best option?

[Syzis]

Hello,

I'm creating an app like a CRM ( Costumer Relationship Managment ) for a school but I have some questions I'd like to be answered.

It will have a main user ( Administrator ) and that user can create another users to access the app.
The app will work locally and I would like to know a method to save that information @ localhost without being acessible to edit or view by other users.

Im thinking in a Access DB with all info and then make all information needed. But how to secure it without anyone else could access it or modify id? An encryption method would be the best way.

Any suggestions please? I'd like an example too because I'm barely new to security measures.

Thanks

 

[C0d3M0nk3y]

You might want to take a look at this:

Creating a Parameterized Query - Beth Massi - Sharing the goodness that is VB - Site Home - MSDN Blogs

Building a Secure Login Form (Parameterized Queries Part 2) - Beth Massi - Sharing the goodness that is VB - Site Home - MSDN Blogs

 

[jchoponis]

Since I can assume you are using .NET by posting here...what about AD-integrated authentication - a snap for "fat" or web apps.
I would create groups for your app, assign them appropriate access in the app itself, and then you can have AD groups manage access to your app without worrying about storing another set of credentials.

 

[Christopherx]

Well I think some really fundemental ground rules should be placed down about storing information like this.

Firstly, look into Hashing. The MD5 hash sounds like it'll do the trick to be honest. Hashing is one way encryption, which means it can
never, ever be reversed. This is good for storing passwords because all you do is re-hash the password as the user types it in, and compare it to the hashed value in the database. That way you're never passing around sensitive information.

Secondly, one of the strongest methods of encryption would probably be an RSA keypair. I can't really explain on here, but I would
reccommend a decent grasp of maths to understand it.

If you've got any hackers who might be using this, then you'll be vulnerable to SQL injection. To avoid this, used OLEDB parameters. Im sure you already know how to interface with a database, but parameters prevent vulnerability to SQL injection.

For permission levels, all you really need is a field, surely? Say it's a school:

T - Teacher
S - Student
A - Admin

Then you can either be clever and dynamically change the interface depending on the user's permission level, or you can simply just put an if statement around the button's functions..:

If User_Permission="T" or User_Permission="A" then

'Some code

Else

Msgbox("Sorry. You do not have the correct permission levels to access this function")

End if

Just a thought.. Right, well I hope my crypto-geek rant has helped! good luck with the system