tags:

views:

208

answers:

3
+7  Q: 

C# mysql connection practices.

If a C# application connects to a mysql server from a client, how do I store the mysql username/password for the connection? If I have it in a config file or embedded in the source it can be found by reverse engineering. It is not possible to give all users a MySql password.

Also, I have a log in for the application. How do I enforce that the user goes through the login process and does not just reverse engineer and comment out the C# code verifying the log in?

Is there anyway manage these connections between MySql and a client side application or must there be a third program on the server side interacting with the database locally to be secure?

+1  A: 

Here is the problem. You are trusting the end user with the binaries which will call MySQL queries. This means, beyond any shadow of a doubt, that a clever user could "take control" and run queries directly.

There are things you can do to improve the situation. It sounds like you are on a LAN. Why can't you give each user their own database user? That means that the authentication is (a) taken care of for you, and (b) you can use "real" MySQL permissions to limit what harm they can do. Also, you could use stored procedures and give them only access to the procs, really limiting what they can do.

You could also consider re-writing as a web-application where you process everything on the server out of their reach.

However, is there really a problem here, or are you just being theoretical?

gahooa  2010-01-16 04:35:11
+2  A: 

Perhaps you can have a two-stage system: Have a SQL account whose only permission is to execute a stored procedure taking the user's username and password and giving them the credentials to use for the real account. When the user logs in, you connect using the restricted account, get the credentials for the real account, and then do your work using that account. You can change the SQL password fairly frequently, too. If you suspect a user of foul play, have the procedure return them a different set of credentials, and track those credentials.

Yuliy  2010-01-16 04:41:47
I think I like this. Are there any potential problems with this solution?
MattR  2010-01-16 04:46:25
As mentioned by Paul Sasik, if there's a shared password being used, a user with sufficient access to their own machine can grab that password. So while this will mitigate the issue (only logged-in users can find out the SQL password), it does not eliminate it. To completely eliminate it, you'd need to have something between the user and the database.
Yuliy  2010-01-16 05:23:05
+2  A: 

For Winform clients that connect directly to the db this is an age old (10 years or so?) question that may never be solved.

The problem is that no matter how you encrypt or obfuscate the connection string there will always be a point in time at which the string will be represented as plain text in the client computer's memory and therefore hackable.

You have been recommended options by other SOers, i just thought i'd point out what you're trying to work around.

Paul Sasik  2010-01-16 04:50:34

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?