Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

C# mysql connection practices

Tags:

c#

security

mysql

If a C# application connects to a mysql server from a client, how do I store the mysql username/password for the connection? If I have it in a config file or embedded in the source it can be found by reverse engineering. It is not possible to give all users a MySql password.

Also, I have a log in for the application. How do I enforce that the user goes through the login process and does not just reverse engineer and comment out the C# code verifying the log in?

Is there anyway manage these connections between MySql and a client side application or must there be a third program on the server side interacting with the database locally to be secure?

like image 984
MattR Avatar asked Jan 16 '10 04:01

MattR


2 Answers

Perhaps you can have a two-stage system: Have a SQL account whose only permission is to execute a stored procedure taking the user's username and password and giving them the credentials to use for the real account. When the user logs in, you connect using the restricted account, get the credentials for the real account, and then do your work using that account. You can change the SQL password fairly frequently, too. If you suspect a user of foul play, have the procedure return them a different set of credentials, and track those credentials.

like image 81
Yuliy Avatar answered Nov 04 '22 01:11

Yuliy


For Winform clients that connect directly to the db this is an age old (10 years or so?) question that may never be solved.

The problem is that no matter how you encrypt or obfuscate the connection string there will always be a point in time at which the string will be represented as plain text in the client computer's memory and therefore hackable.

You have been recommended options by other SOers, i just thought i'd point out what you're trying to work around.

like image 36
Paul Sasik Avatar answered Nov 04 '22 00:11

Paul Sasik