All geek questions in one place

C # protect database connection string in settings to prevent decompilation?

In any case, so that people do not use Reflector.net to decompile my .exe application C #? I know there are a lot of posts about this, but I don’t care if people can see my code, the only thing I want to β€œhide” is my database connection string.

I am currently using "Settings" in my C # to save database connection information. I wanted to know if using this line in my Settings project could prevent people from seeing this?

I use DotFuscator in visual studio 2008, but I heard that this did not stop people from decompiling my program.

I know that I can use web services, but my server will be on linux, so I think I can not store web services on Linux.

+4
source share
4 answers

No. Even if you encrypt the connection string in the program code or in the settings file, you will need to decrypt it, and the program must contain the decryption key somewhere, which means that anyone who is interested in searching for it will find it, regardless of how creatively you hide it. Why do you need to hide the connection string? If you are afraid that the one who has your program might directly call web services and initiate unintended actions, you should study how web services are structured, what they allow clients and how authorization works, and make security improvements there instead .

+4
source

If your program has a connection string, users of your program can return it. Even if you encrypt it, they can sniff it when your program connects to the database server.

If you do not want your users to know your login credentials, do not provide user login credentials. This is the only way.

You can do this by giving each user their own credentials and using the permission system on the database server to control what they can or cannot do.

+5
source

Check out this tutorial on this topic from MSDN. However, keep in mind that this only replaces security. Now you need to manage key security

0
source

According to others, obfuscation is not real protection for the connection string stored in the client application, where the user has access to binary files.

Do not use a direct connection to the database from your program if the user is not trusted to use the database directly with the same privileges. Have a service (web service, REST service, etc.) Meanwhile, what you host on your own server. Linux can host services of any of the types I talked about (use Mono if you want them in .NET on Linux)

To expose your database through a web service using Mono or any other language / framework that you can host on Linux, you would create a website maintenance method for every atomic operation you want to perform against the database.

An additional advantage of allowing the client application to directly access the database is that when the client application uses the service between itself and the database, you can change the data store without affecting the client. You can change the database schema in your database or replace the database with a NOSQL solution or even a flat file.

Having a service instead of a direct connection to the database moves the authentication / authorization requirement one step, so now you need to implement it in the service. Fortunately, the web service has rich authentication support.

0
source

Source: https://habr.com/ru/post/1389142/

More articles:


All Articles