1

sorry, been searching for an answer for almost a day but can't really find the answer I'm looking for. All I can see is ASP. Net

I created a custom configuration file that has a connection string named "connstring". and it contain this:

<connectionStrings>
  <add name="MySqlConnect"  connectionString="datasource=xxx;port=xxx;username=ccc;password=xxx" />
</connectionStrings>

and the App.config is linked to it. How will I encrypt the connection string on this way? or is there any better way? Sorry, I'm noob on this stuff.

Angelo
  • 43
  • 1
  • 3
  • Don't put this in your application. C# code can be reversed very easily and you can easily gather the connection string from a C# program during its runtime with reflection. If your program need some sort of database management write a server application that takes care of it or use a webserver and retrieve information / send information through that. Never store database information in an application if you plan to make it public. – Bauss Jun 21 '15 at 18:19
  • the one that I posted is an external config file. btw, this is just aim on an isolated network, only a one server where the data stored and multiple client pc connected on it, no online connection. and as I said, I'm kinda noob on this security stuff. So could you give me this 'write a server application' approach? – Angelo Jun 21 '15 at 18:42
  • you can always try to have a server with IIS, and then put all your code in there with a WebApi. This way your database access is on a single point, and you can then let the application consume the webapi instead of talking directly with the DB – Donald Jansen Dec 10 '21 at 10:33

1 Answers1

0

You could see the following post about encryption and decryption Encrypting & Decrypting a String in C#

Then Encrypt the connectionString value, then before you use the connection string decrypt it

var encrypted = ConfigurationManager.ConnectionStrings["MySqlConnect"].ConnectionString;
var decrypted = StringCipher.Decrypt(encrypted,"yourStrongPassword");

--NEW ANSWER--

The following MSDN Post explains how to encrypt a web.config file, according to them you can just rename your app.config to web.config and then follow the steps to encrypt the web.config file (Just remember to rename it back to app.config) https://social.msdn.microsoft.com/Forums/windows/en-US/3b5a1d1f-aa57-40d8-8607-fee0b2a8a6db/protect-appconfig-file-or-encrypt.

The alternative route to take is to create your own configuration file using xml/json and then completely Encrypt the xml/json text and store into a file.

public class MyConfiguration
{
 public string ConnectionString {get;set;}
}

Now you can create a new instance of MyConfiguration, Serialize it with Json/Xml encrypt the result string and store in a file, copy it to the project where you can read it, decrypt it and deserialize back to an object.

I would first try to use the web.config route and see how that goes

Community
  • 1
  • 1
Donald Jansen
  • 1,937
  • 4
  • 22
  • 41
  • I forgot it also an external config file. So it is on risk to be modified by anyone. – Angelo Jun 21 '15 at 18:03
  • this might sound extreme, if people get on hold of your DLLs and decompile your code to get "yourStrongPassword", which in this case is a hard coded magic text in code. What can you do? – Just another Dev Dec 09 '21 at 01:47