Results 1 to 4 of 4
  1. #1
    Join Date
    Mar 2008
    Posts
    10

    Unanswered: define a password in the table

    Hi
    i am planning to design a database and have some problems with security stuff as follow:
    I have table called supplier and another table called invoice
    Table supplier:
    supplier id
    supplier add
    supplier tel
    supplier password

    table invoice:
    supplierid
    branchid
    ...


    the requirement is that each supplier should be able to access the invoice table and submit their invoice .what I have thought is ,that in supplier table i would have password colum which is defined to be unique.
    now what i am trying to achieve is that when the supplier enter their password ,the matched supplier id for that password from supplier table should be fined and once it found it ,it should insert it, into the supplier id in the invoice table.
    the supplier should not be able to modify the supplier id on invoice table by that i mean that,onced their password has been entered and the supplierid was found the supplier id should automatically be inserted into the invoice table and do not allow the supplier to change it.

    any help appreciate it

  2. #2
    Join Date
    Dec 2007
    Location
    London, UK
    Posts
    741
    Identifying suppliers only by password seems like an inherently insecure form of authentication. Have you ever seen any other system that worked that way? I haven't and I wouldn't trust one that did.

    I suggest you allocate each supplier a unique login name and allow them to choose a password at will (with complexity rules enforced). That way you don't leave yourself open to password guessing attacks. Passwords should never be stored in retrievable form. Store a secure hash of the password and then verify the hash. You can use the HashBytes function to do that in SQL Server.

  3. #3
    Join Date
    Mar 2008
    Posts
    10
    could u please explain a bit more?
    i will give u an example of what i want from the system

    we assume the supplier id is =1 username is :linux and the pass is :abc
    when they login to system and want to add some data the supplier id in invoice table should be filled automatilcally(matching the pass with their supplier id ) and they should not have a ability to modify it.so that means that supplierid for my example would be 1 and they should not be able to change it
    could u please give me an example of the code that i should use
    tnx

  4. #4
    Join Date
    Dec 2007
    Location
    London, UK
    Posts
    741
    You didn't mention a username in your first post. If the supplier has a unique username then the password doesn't have to be unique and security is greatly increased because an intruder doesn't have to guess just any password, he has to guess the right password for the user. Furthermore you can lock out a user after N attempts with a wrong password.

    Why don't you want to allow a supplier to change a password? Passwords should be changed regularly to keep them secure and should generally be under the control of the user being authenticated. Changing passwords regularly is very basic security best practice, as is not storing passwords in any retrievable form.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •