Closed samcrow closed 8 years ago
K I've created a new login called ReadOnlyLogin with password 'A2305Bmcnsdf'
That is good. The other account (with write access) still has the same publicly available password. Please change the password for that account.
Thanks for reminding me. Password reset
The username and password that the application uses to connect to the remote database server are publicly available from our code. Because we do not have an API layer between the application and the database, storing the credentials like this is inevitable.
Currently, anyone can connect to our database and change table structures or delete data. We do need to allow anyone to access our database, but they should not be able to change or delete things.
If we can create multiple accounts with different permissions, we should change the password on the current account, keep it secret, and use that account for database administration tasks. We would create a restricted account that only has permission to read and have the application use that account.