The issue here is the use of a two-tiered application.
Basically, the flaw here is that you're trusting your client application, which is by definition NOT thrustworthy.
This is much the same as trying to do web app validation in client side javascript.

Ultimately, I see two possibilities for you:
1- Implement some accountablitity in your system: drop the generic users and assign private database user accounts to all clients.

2- Make sure all validation logic in the client app is replicated in your stored procedures.

All efforts at securing the system at the client app layer is mear obfuscation and are bound to fail sooner or later. You will never be able to trust the client app since it runs on an untrusted machine and network.


Ammo