1

Im using a ADO.NET Entity Data Model.

There I have two options:

  1. Save the sensitive data in the connection string
  2. Manual set it in code.

I choose the first option because it was shown in a lot of tutorials like this. But when I look in the debug folder i can easily open the app.config with notepad and can read the password from the database user.

But I want to publish the application and I don t want that everybody can see the password.

So is there a way to hide this password there? And when I make an installer for this with Visual Studio Build->Publish.

When the user installs the application. Will there be this file somewhere in the programs directory?

Please don t just share links. Thank you very much.

R. García
  • 815
  • 9
  • 20
juliushuck
  • 1,398
  • 1
  • 11
  • 25
  • 1
    That is why Windows authentication to the database is recommended. It is extremely difficult to hide any data that is on the client. You might also consider accessing the data through a service, secured by a membership system, so that the connection is not on the client at all. – Crowcoder Apr 23 '18 at 12:07
  • You should search first. It's a very common problem. https://stackoverflow.com/questions/11637348/encrypt-connection-string-in-app-config – kara Apr 23 '18 at 12:07
  • Possible duplicate of [Encrypt connection string in app.config](https://stackoverflow.com/questions/11637348/encrypt-connection-string-in-app-config) – kara Apr 23 '18 at 12:07
  • @kara , if the app can decrypt it then so can a savvy user. That is not secure. – Crowcoder Apr 23 '18 at 12:09
  • @Crowcoder Hiding doesn't help you with this problem. Encrypt the password/connectionstring or search for another architecture. – kara Apr 23 '18 at 12:11
  • @kara I don't understand what that comment means. I'm saying you can encrypt your data but it's pointless to do so on the client because it is too easy to circumvent. I'm trying to prevent OP from taking bad advice. – Crowcoder Apr 23 '18 at 12:15
  • @Crowcoder The questions was how to "hide" the password. Encrypting is one typical solution for this. If you store the password in a variable or const, you still can read it in the exe-file or an dll. If you want a client without a password, the question is wrong. – kara Apr 23 '18 at 12:31
  • Ok now I hided it. Now i m setting the connection string while running. But what is the really correct way to interact with a database in c#? Webservice? – juliushuck Apr 23 '18 at 21:04

0 Answers0