4

I'm pretty new to C#, I've been doing a bunch of stuff but I'm missing a lot of basics. Anyways, I'm making a program where the user has to log in and and then it checks if the entered password is the same as the one on the database.

Anyways, I know that there's ways to get get into the code of a compiled program and I wanted to know if there's anything I should do to make sure that nobody can see the login info of the MySQL data somehow.

Thanks

5 Answers5

6

There are many different ways you can Protect Connection Information depending on your specifications and requirements.

One simple rule, never include database connection strings in compiled code!!!

Some Links
Protect Connection Information
SO - Encrypt connection string in NON ASP.Net applications
MSDN Securing Connection Strings

Further to a questions raised in the comments.
Secondary to ANY connection string configuration you should also limit the applications access to the Database by using Role Base Access Control to reduce the permissions granted to the application and the procedures or Sql commands it can execute to a bare minimum.

Community
  • 1
  • 1
Lloyd
  • 2,932
  • 2
  • 22
  • 18
  • 1
    Even if you encrypt it, and the client has the encryption key (which it must to be able to decrypt it at run time to connect to the database), the client can manually decrypt the connection string and examine the login credentials. – Jared Shaver Feb 18 '12 at 18:27
  • If the intended user had the ability to decompile your code, find the key, decrypt the connection string then yes at this point your database and Data should be protected by limiting the applications abilities by using Roles. – Lloyd Feb 18 '12 at 18:35
  • Agreed. I almost had my connection string inside of the code, until I realized the client could just use Reflector or ILSpy to view the credentials :D – Momoro Mar 27 '20 at 22:56
2

The only way to prevent people from seeing your MySQL connection string credentials would be to use a three tiered architecture where you have a webserver or service running on a server which holds the connection string and makes the requests to the database. Your client applications would communicate with the with the webserver/service.

Jared Shaver
  • 1,339
  • 8
  • 12
1

I agree with Lloyd.

In addition to the security aspect, keeping the connection string out of compiled code means that if you need to change it for some reason, you don't have to recompile and redeploy your code. Often, you don't know that someone messed up the server name or database name or credentials until your site suddenly stops working. In the middle of the night.

DOK
  • 32,337
  • 7
  • 60
  • 92
  • I'm sorry but what does it even mean to 'keep connection strings out of compiled code' –  Feb 18 '12 at 18:00
  • In your question, you say you're worried about someone who could "get into the code of a compiled program" and see your MySQL data. That suggests that you have the database connection information in your compiled code. Anyone who wanted to gain access to the database to see the stored passwords (and other data) there would need the credentials from the connection string to be able to access the database. – DOK Feb 18 '12 at 18:06
0

I was thinkinging this would be an issue with my program, So I am makeing a PHP file to process POST data and return a response, Where the PHP file on my sever side holds the Database connection as well as only return's limited data to my C# program. And the C# program then read's the response and get's the appropriate data. This will make it so the program it's self does a HTTP POST and doesn't know the database user and password. As well as give's me control over what data can be sent to the C# Program.

David Finch
  • 1
  • 1
  • Seems like the safest method. From what I read here and in other places, directly connecting to the DB is the worst thing possible because the account info will most certainly get intercepted. That and I find it a pain in the ass to do simple things with mysql in c#. in php, it's no problem at all, but in c# I had to go through annoying loops to properly insert queries (had to make an app where the user has to enter mysql data to their own server) –  Jul 31 '12 at 18:53
0

There is no way to hide your connection credentials from someone that can get into your code using some ILSpy like intrusion. «Intruder» can see anything needed to find them. For example he/she can see how you decrypt the (so called...) encrypted xml and use the same method.

The only way to hide user credentials is in database itself, where the user has no access.

Explain: If user has to enter its own credentials to login to database, the credentials will be checked by the database server, so no credentials are exposed in your app residing in user's machine. And user cannot see other's credentials.

So:

  • Create the users in the database as database users.

  • Allow them to access any tables they should access.

    In your program:

  • Ask user for credentials.

  • Check if you can connect to database with those credentials.

Community
  • 1
  • 1
ilias iliadis
  • 601
  • 8
  • 15