Menu
How Can I Secure my ConnectionString in WinForm Application?
602
The best way to secure the database connection string is to encrypt the value within the configuration file. The application would then load the encrypted value from the config file, decrypt the value, and then use the decrypted value as the connection string to connect to the database.
<connectionStrings> <add name="dbconnection" connectionString="Data Source=Soumalya;Integrated Security=true;Initial Catalog=MySampleDB" providerName="System. Data. SqlClient" />
string strcon = ConfigurationManager. ConnectionStrings["Dbconnection"]. ConnectionString; SqlConnection DbConnection = new SqlConnection(strcon);
You can't. Although you can encrypt the connection string in the app.config file, the application needs to be able to decrypt it and it is, therefore, always possible to retrieve the unencrypted connection string, especially with a managed application (perhaps not for your typical end user, but any skilled developer, or hacker can do this, and even end users can figure this out after a little bit of googling).
The solution to this is to not lean on security by obscurity. Use Windows Integrated Security when connecting to the database using the Windows user account and give the user the minimum amount of rights in the database.
Often though that is still not enough, because it is very hard to secure the database enough when end users are directly connected to the database (often because you need row-level security). For this to work you need to deny access to tables and views and completely fall back to stored procedures.
A better approach, however, is to prevent the desktop application from communicating directly with the database. Instead, use a web service as intermediate layer. In that case you have full control over the security and you can store the connection string securely on the (web) server.
64
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
