Best way to work easily with a database in remote programs?

Question

In Database 101 you learned never to distribute the sensitive database password along with your program, since all a person has to do is reverse engineer the program, find where you actually need the original password for authentication, then echo/print that line. However when you have multiple remote programs that need to talk to a central database, what do you do?

My hackish solutions used to involve PHP, tons of GET variables, and JSON. I would make a request to the server with a set mode and parameters, then parse the JSON output. It was buggy, not entirely secure (only slowed an attacker down) since I didn't have any registration mechanism, hard to scale, and made all existing ORM's useless. Besides, it was attempting to reinvent SSH or SSL, not something that's too terribly smart.

What's the alternative though? What other options are out there that can provide security for the database while making it easy on me?

Answer 1

The biggest thing I can comment on with databases and applications is to have multiple accounts. Separate accounts for read and write access also and give these accounts the least required access to complete the given task.

You do have alternatives such as VPN's/SSH tunnels too have a more secure channel for distributed remote access to your central database.

Also, you should never really in your applications directly deal with the database, rather your applications should have a database abstraction layer or some sort which interacts with database. This is one: good design, and two: a better approach as you place all the DB interaction in one place and provide your application with an API to use the database interaction layer.

Answer 2

Wrapping the database in a services/API layer is the most common way to do this.

At the most basic level provide full ORM mapping, but generally you would provide endpoints that provide different create / update / result features.

Like your hackish PHP solution, only good :)