Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

C# protect database connection informations

Tags:

c#

mysql

Currently I'm storing my C# mysql connection informations inside the class file itself, which doesn't seem that smart, since end users could simply use a reflector to view the source code in case it's not obfruscated.

How could I store those informations in a safe way?

Source code:

private void Initialize()
{
    server = "xxx";
    database = "xxx";
    uid = "xxx";
    password = "xxx";
    string connectionString;
    connectionString = "SERVER=" + server + ";" + "DATABASE=" +
    database + ";" + "UID=" + uid + ";" + "PASSWORD=" + password + ";";

    connection = new MySqlConnection(connectionString);
}
like image 767
user7347727 Avatar asked Dec 29 '16 13:12

user7347727


People also ask

What C is used for?

C programming language is a machine-independent programming language that is mainly used to create many types of applications and operating systems such as Windows, and other complicated programs such as the Oracle database, Git, Python interpreter, and games and is considered a programming foundation in the process of ...

What is C in C language?

What is C? C is a general-purpose programming language created by Dennis Ritchie at the Bell Laboratories in 1972. It is a very popular language, despite being old. C is strongly associated with UNIX, as it was developed to write the UNIX operating system.

What is the full name of C?

In the real sense it has no meaning or full form. It was developed by Dennis Ritchie and Ken Thompson at AT&T bell Lab. First, they used to call it as B language then later they made some improvement into it and renamed it as C and its superscript as C++ which was invented by Dr.

Is C language easy?

Compared to other languages—like Java, PHP, or C#—C is a relatively simple language to learn for anyone just starting to learn computer programming because of its limited number of keywords.


2 Answers

I'm answering this to address security for a local application, as that's what OP's situation sounds like, despite other answers treating it as if it's a web application.

If a single database is shared by multiple users with different security concerns, as I suspect it is, then you really shouldn't store the database connection string locally, in the code, in the config, encrypted in the config, etc. The client should never have this information. This is the only way to truly guarantee security client-side.

A determined person can simply reverse-engineer your code, and unencrypt the connection details. Furthermore, if they use something like .NET Reflector do debug your code, they can use reflection to pull the connection string, including password, out of the connection object. Then it's trivial for them to connect directly to your database and extract any information they want. Of course you could have an IP whitelist, but if one of those users is bad then you still have the same issue.

My recommendation is that you create a web service which will manipulate your database. The software that your end-users use then simply authenticates itself with the web service using the user's credentials and then uses that to access resources they are allowed to. This is how many modern applications operate.


If each user has their own database then you can simply store the connection string encrypted locally, as this will be enough to prevent most problems, except for malicious people with access to the users' machine.

Obviously, as Vladimir said, you can take this as a general solution (encrypt it in the config and hope for the best), but I really don't recommend this if any security is required. For example, if you are storing user passwords in the database - even in hashed form - this is not a secure idea. The risk you'll run with using this method for everyone is that somebody could steal all of your data, or wipe all of your data, or even manipulate the data to their advantage.

like image 170
DiplomacyNotWar Avatar answered Sep 18 '22 23:09

DiplomacyNotWar


The standard way to protect connection strings in .NET is to encrypt them in your config file.

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"

You will need to grant access to the application to use the key to decrypt this when it runs, see the MSDN article on secure connection strings.

like image 33
Fenton Avatar answered Sep 19 '22 23:09

Fenton