0

I am creating a windows form application in c#. I am storing datasource and initial catalog in Settings. But in connection string there is username and password also.

Why i am storing in Settings is because at deployment i can easily setup through my software. I want to deployment easy and i want dynamic connection string.

So anyone can guide me to how to store this all thing because setting is normal text file user can easily change it.

I have multi user system.So SQL Server in one PC and all user are in different pc. So i dont think creating a all user in database.

Naitik Kundalia
  • 199
  • 1
  • 1
  • 19
  • 2
    There's no reason to use a SQL username. Windows knows who the current user is. If you use Windows authentication by setting `Trusted Connection=true` in the connection string, that account will be used to connect to the database. – Panagiotis Kanavos Jan 22 '19 at 16:17
  • app.config https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/connection-strings-and-configuration-files – SilentTremor Jan 22 '19 at 16:17
  • Actually, if you are using the out of the box SQL provider, you want to use "Integrated Security" rather than "Trusted Connection": https://stackoverflow.com/questions/1229691/what-is-the-difference-between-integrated-security-true-and-integrated-securit – Flydog57 Jan 22 '19 at 16:39

1 Answers1

0

Instead of using SQL authentication, it is strongly recommended to access the database using the Windows accounts of the users. If your app runs inside an AD domain, you do not need to grant every single user access to the database, but can use an AD group for that purpose. See this link on how to enable windows authentication in the connection string.

There are options to encrypt the connection string in the file. However, it will require some effort, as it will add another preparation or deployment step to perform the encryption per machine/user. In addition, there are no out-of-the-box tools available to encrypt a configuration file for a SmartClient app. So you'd also have to implement the encryption. See this link for details.

Please note that even if you use encryption, at least the current user account needs to be able to decrypt the settings in order to run the program. This also implies that a technically savvy user could create a small application that reverts the encryption and can get access to the credentials this way. So using Windows Authentication is really the better option.

Markus
  • 20,838
  • 4
  • 31
  • 55