Reputation: 76240
Querying a database via desktop application / security
I'm going to write a desktop application using the Qt framework that should then be released to the public. But I'm worried about the safety of this approach.
I usually code in PHP therefore I'm aware of SQL Injections and anything database related to make any query secure but I came across a problem I've never faced before: desktop application send queries from the client to a server therefore, I've heard, is not as secure as server to server (PHP).
What are the main security risks, how Qt prevents them or how can I prevent them by specific coding techniques?
I'm sorry I cannot be any more specific but I'm not really experienced in the desktop application field.
Upvotes: 2
Views: 742
Answers (2)
Reputation: 4786
Qt does nothing for you to protect your data. You should focus in securing your RDBMS first. Of course you should code your Qt client application carefully to prevent unintended behavior by checking and sanitizing all inputs, etc. but if you're not going to distribute it, this shouldn't be your most immediate concern.
If you plan to use PostgreSQL as the backend for your application, you can take some measures to mitigate the risks that comes with exposing any service to the internets. The most basic:
- Setup a firewall with proper rules. Allow inbound connections from trusted sources only.
- Accept SSL connections only, even with a self-signed certificate.
- Enforce strong passwords. Use client certificates if more appropriated.
- Set your
pg_hba.conffile to only accept connections from known/trusted addresses.
Debian/Ubuntu have excellent PostgreSQL packages. Right after installing you can easily setup PG to allow SSL connections without going on the hassle of generating certificates manually.
Relevant PostgreSQL docs:
I can provide you a very basic example Qt application (unfinished) that was designed to work with PostgreSQL if you want. Just let me know.
Edit: uploaded the example app to GitHub: exampleapp. Tried to tidy up but there's still a mess with a lot of strings that were originally written in spanish. At any rate, you can still find a bit of useful code if you're starting with Qt. Oh, and I'm using Qt5 and had to compile my own PostgreSQL driver for Qt (not a big deal if you're on Linux). I mention this because the app might or might not compile with Qt4. Good luck!
Upvotes: 4
Reputation: 4962
Regarding
desktop application send queries from a computer to a server
I don't know the exact situation you're thinking of but keep in mind that stored procedures can be used in this situation to mitigate risk of sql injection. If the desktop application only has rights to call a series of stored procedures on the db server and nothing else then you've reduced the risk considerably. If the desktop client cannot be trusted at all then the alternative is to not let the client desktop application access the db directly. You could write a layer to reside on the server which does all the db access for the clients and the client interact with that rather than a db.
Upvotes: 1
Related Questions
- Installing Qt and MySQL to code and connect with the database
- Connecting to Local Database with Qt
- Accessing MySQL database from C++
- Qt - GUI Database programming
- Hiding MySQL Credentials in Application
- Connect Qt to a Database
- C++ program that connects to MySQL
- Qt remote database with MySql?
- Embedded database for desktop applications question
- Desktop App w/ Database - How to handle data retrieval?