Ok, I know this has been asked a thousand times before, but no conclusive solution has been derived...so here is another really silly question!
I have a Winforms 3.5 app and using LINQ to SQL, hence the Connection string is ALWAYS stored in "app.config" by default (and VS2008 will not accept any other way of storing this - Ive even tried overwriting this in the IDE-generated code). That being said, any person with a bit of computer know-how needs to just browse to the install directory of the app, look for the [appname].exe.config file, and open it to reveal the supposed secure username/password for accessing the database. Even if you opt to encrypt/decrypt this section, it is only done when the app is running - so Im assuming that when the app is closed, the connString section reverts to plain text....that can be once again read. (....how do you win?!?!)
Keeping in mind that Im using LINQ and generating a LinqDataContext, what I would like to know is this:
- Can the connstring not be stored elsewhere besides the app.config? (perhaps like in a user setting file that can be modified after installation)
- If the above is possible, can I not store a pre-encrypted connstring into the config file (that certainly wont be able to be read) and in my application, opt only to decrypt the connstring whenever the connection is opened?
If none of this is possible, I may have to revert to using traditional ADO.NET (seeing that I already have hundreds of stored procs for all CRUD operations) - at least that way I can have control over how and where the connstring is stored.
BTW - sorry if this is a juvenile/confusing question to ask, and if you feel that Im wrong with anything Im explaining please let me know.
Much thanks!