B4J Question security of mysql db on b4j server

[ArminKH]

Hi
Before using b4j i used php for managing online db (my sql)
always i Put my db user and pass to a php file and limit the user access just to read(permition 400 i think)
Then on main php page like search.php i include my db.php and by using this security solution my database is safe
Now what about b4j?
On b4j when i want access to my my sql data base we should enter user and pass of db and maybe my server decompiled and then my user and pass is accessable simply
What is the same security solution on b4j?
Thank u

 

[Erel]

How can the server be decompiled? If a hacker has access to the file system then the password in the PHP script will not be safe at all.

 

[ArminKH]

How can the server be decompiled? If a hacker has access to the file system then the password in the PHP script will not be safe at all.

Ok if the server can not be decompiled why we limit the access to our database by using permisions?
My question is just for find a same way to ensure maximum security solutions not just for compare php and b4j
Thanx erel

 

[ArminKH]

Has b4j any same way to include other b4j servers on same place?or any same solution?if not can this happen in future?

 

[Daestrum]

why we limit the access to our database by using permisions?

That's the correct way. you don't give a query full access if it's only reading the database. you give it a user/password that only has read permissions set in the database.
Most DB's have built in security for this purpose.

A log in screen, for example, needs only read permissions on one table to decide if the log on credentials are valid. So in the DB you create a 'login' user/password and only grant read permission on 'users' table.
Couple that with a retry delay that grows on each successive log on failure, this will frustrate a brute force attack.

 

[ArminKH]

That's the correct way. you don't give a query full access if it's only reading the database. you give it a user/password that only has read permissions set in the database.
Most DB's have built in security for this purpose.

A log in screen, for example, needs only read permissions on one table to decide if the log on credentials are valid. So in the DB you create a 'login' user/password and only grant read permission on 'users' table.
Couple that with a retry delay that grows on each successive log on failure, this will frustrate a brute force attack.

Excuse me 4 my english if i cant tell my problem exactly
On php side we have a page like search.php and an other like db.php and also we have a my aql database
Our database has a username and password for access to data
Now in db.php we have our username and password values and connect to our database by using pdo
Then we limit db.php's permission to limitest mode
Then on search.php we just include our db.php and our user name ande pass valuse kept on secure page
Now what about b4j?
I know if our server hacked then each part of our server are crackable
It can be better or safer if be a way to include an other b4j server or any same way to ensure this security solution
And if not ok then thats not possible... :-D
Thank u ;-)

 

[Erel]

I'm not sure that I understand. If a hacker can access your server file system (with SSH for example) then nothing will be safe. Not the database, not the B4J servers and not the PHP scripts.