1

Based on the link here which talks about connection pooling I see we are creating a new SqlConnection object which takes a parameter 'connectionString'

How to use connection pool without passing the connection string? We retrieve the connection string securely but across the application we are passing around the string which makes the connection string available in memory dumps.

I am looking for a similar approach in C# way it is done in Java. We create the datasource object and ask for a connection but we do not pass around the connection string.

How to achieve the same in C# ADO.NET connection pools?

TIA

Edit: What I meant by passing around the string (this code is present in every method in database access layer):

using (SqlConnection connection = new SqlConnection($conn_string))  
{  
    connection.Open();        
    // execute queries  
}
Subhomoy Sikdar
  • 526
  • 5
  • 19
  • What you mean _"we are passing around the string"_, where do you "pass it around" and how exactly (show code please)? – SᴇM Oct 08 '18 at 05:25
  • @SeM I updated the question to include your answer – Subhomoy Sikdar Oct 08 '18 at 05:29
  • Even if you encrypt the connection string, At some point in the lifetime of the application, you will have to decrypt it to connect to the database... I would be more worried about DRY then about memory dumps revealing your connection string. One way to not repeat yourself is like I did [here.](https://github.com/Peled-Zohar/ADONETHelper) – Zohar Peled Oct 08 '18 at 05:52
  • @ZoharPeled But even if I make it DRY, the methods will be invoked meaning the connection string with username, password, db details will be available in memory as long as the application is running – Subhomoy Sikdar Oct 08 '18 at 06:02
  • That's my point exactly. Instead of worrying about something that you can't control, do the things you can control to minimize the risk - Prefer windows authentication over SQL Server authentication, use stored procedures and limit your application logins to only execute the relevant stored procedures. You can use a wcf service as a middle tier between your application and the database, connecting over SSL to minimize the risk of a "man in the middle" attacks. – Zohar Peled Oct 08 '18 at 06:11

1 Answers1

0

If you are concerned about database credentials in memory dumps, don't use them.

Instead, you can

If you still want a factory you can use something like the EF's SqlConnectionFactory or of course write your own.

John Wu
  • 50,556
  • 8
  • 44
  • 80