0

I have a requirement to allow the user specify, at time of first use, the connection string with which to connect to a database, and change it later on, in Windows client application. My current idea is to store the information in a text file which is checked each time user opens the application for use, and prompts user for update if information has been deleted or is invalid. I am not however confident that this is a secure approach to handling this issue and would appreciate other suggestions to help me better manage this.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Kobojunkie
  • 6,375
  • 31
  • 109
  • 164

4 Answers4

1

You can

  1. Use Windows Authentication for SQL so that you don't need to manage passwords.
  2. Use CryptProtectData to encode / decode the password and save in on disk

From CryptProtectData documentation

The CryptProtectData function performs encryption on the data in a DATA_BLOB structure. Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data. In addition, the encryption and decryption usually must be done on the same computer. For information about exceptions, see Remarks.

So even though SQL and windows might have a different login if there is a 1-1 mapping your saved password encrypted text is relatively safe

parapura rajkumar
  • 24,045
  • 1
  • 55
  • 85
1

I'd store them in the app.config, as is the usual practice. You can modify the settings in code easily. Here's how

They should also probably be encrypted, which can also be done in the applicaiton's launch. You can encrypt/decrypt from code just as easily as you can modify the settings. Here's how.

David
  • 72,686
  • 18
  • 132
  • 173
  • I am not aware that you can write, and change settings in the app.config file at runtime. – Kobojunkie Sep 24 '12 at 15:46
  • 1
    In general, application should not be writing to their app.config files - they're stored in a location users don't have write permissions to. – Chris Tavares Sep 27 '12 at 22:26
0

I would store the connection string in either the App.Config or the registry. I do not think you can modify the App.Config at runtime, so if your application is using a database, that should be your first choice. If not, go with a flat file or the registry. You will definately want to encrypt it. See this question on how to encrypt and decrypt string and Base64 Encode it.

Community
  • 1
  • 1
Icemanind
  • 47,519
  • 50
  • 171
  • 296
0

To start with, I would not write your own dialog to get the initial connection string; instead you could use the VS2010 database connection dialog that Microsoft have released (download from here). This will do exactly what you want without you having to do the hard work (and for pretty much any remote connection you want).

No, your persistance of the connection string information, should not cause any major security issues; as it is the connection string itself that should provide the security to the connection; you will have to ensure that the saved connection string does not contain the password - and bring up the dialog for each successive connection. If you use Windows Authentication, without passwords then of course there could be a security issue, but I would say it is down to the users to use the correct security.

If the above is not sufficent, I would store the connection string in Properties.Settings.Default and encrypt the string using one of the .NET libraries, or even a hash. There are many approaches to this, but I would go with the referenced dialog to get the initial connection string, then persist this in the app's .config with properties. Simple.

I hope this helps.

MoonKnight
  • 23,214
  • 40
  • 145
  • 277