tags:

views:

290

answers:

4
+2  Q: 

How do I securely hide database credential in C# application?

Hi,

I have a situation that users access remote MySQL server in C# application.

Basically,

A user using C# application on his/her desktop ->>>> connects to remote ->>>>>>>> [ REMOTE ]

How do I securely hide database connection detail?

I have few ideas, but I don't think they are safe.

  1. Encrypt database connection data into a file and store it within application directory.
  2. prompt login page and let a human enter username/password, then transfer database connection data to user's computer.
+5  A: 

No matter what you do if the credentials end up in the application in cleartext you are vulnerable.

Either implement a service layer in front of the database or if direct connections are essential try and come up with a scheme that allows a unique databse account for each user and then authorise them appropriately on the database.

sipwiz  2009-11-05 01:22:25
Service layer +1
James Bailey  2009-11-05 01:22:55
+1 for service layer.
Glenn Condron  2009-11-05 01:25:04
+3  A: 

Generally, it's better to ask the user for the credentials so that each account can be enabled or disabled by the administrator. Barring that, there are APIs for encrypting all or part of the configuration file. Here's a sample article:

http://www.codeproject.com/KB/dotnet/EncryptingTheAppConfig.aspx

James Bailey  2009-11-05 01:22:29
Yes, ask the user.
jeffamaphone  2009-11-05 01:25:41
+1 Use system.configuration.configurationmanager with an encrypted connection string. Or unique credentials.
J.Hendrix  2009-11-05 03:14:53
A: 

link textSee http://www.codeproject.com/KB/cs/Configuration%5FFile.aspx for app.config and http://msdn.microsoft.com/en-us/library/dx0f3cf2(VS.80).aspx for the web.config

Dave  2009-11-05 01:25:38
A: 

I would suggest some form of session management based on user credentials. This can be accomplished in many ways.

For instance, you may accomplish this by simply wrapping your database access with a back-end system. Your desktop clients are oblivious to the database and interact solely with the back-end system. Unfortunately, implementing this level of indirection is not trivial if you have to do it from scratch but it will certainly make your application more robust and flexible. WCF services can help accomplish this.

Newbie  2009-11-05 02:08:23
I missed sipwiz answer. It is pretty much the same as this one.
Newbie  2009-11-05 02:10:20

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?