2

I have written a little console application that uses s#arp. I can create an executable using the configuration manager and selecting release. I understand that the dlls are needed and that there is apparently no easy way to ‘bind’ (?) everything into one executable:

SO link

Is there at least a way to hide:

NHibernate.config

So that the db’s connection string is hidden? I remember that it is possible to encrypt Web.config for asp.net. Maybe something similar is possible?

Any feedback would be very much appreciated. Many thanks in advance.

Community
  • 1
  • 1
cs0815
  • 16,751
  • 45
  • 136
  • 299
  • Are you wanting to hide it for security reasons? Because if so, that's faulty security. If you don't trust a user with direct access to your database, then don't give him direct access to your database. If you're wanting to prevent someone from grabbing the details and then connecting, ideally you should create an API, not try to obfuscate the link details. – Corbin Mar 23 '12 at 09:43
  • Well the program does some number crunching and needs access to a database. The programs are run on different users' machines. They should not really be able to see the username and password for the database. – cs0815 Mar 23 '12 at 09:51
  • Well, for a determined user, he will be able to find them. Even if encrypted, at some point, the data has to be decrypted so the connection call can be made. A sneaky user could just find right where it was about to be called and get the user/pass from memory. Fairly difficult, yes, but there are a lot of people out there who could do it in a minute. – Corbin Mar 23 '12 at 09:58
  • Ok then. So I would have to start the program on the user's machine and enter the credentials to make it 'secure' as in not storing the credentials locally. Is this what you are suggesting? – cs0815 Mar 23 '12 at 10:07
  • No because even then the user could obtain the credentials. As Seif Attar mentioned, you basically have two options: 1) Just connect directly to the database. This is only feasible if you trust the end users or if the number of end users is small (like an in house application like he said). 2) Make an API. Then, instead of connecting to the database, you connect to the API. The API could be read only, or have some kind of authentication, or whatever. Basically it would just be a way of authenticating and holding people accountable. – Corbin Mar 23 '12 at 23:48

1 Answers1

3

You would need to configure the connection string property in code to decrypt, SharpArch provides following overload which allows adding properties to your config:

NHibernateSession.Init(
                sessionStorage,
                new[] { Server.MapPath("~/bin/Suteki.TardisBank.Infrastructure.dll") },
                new AutoPersistenceModelGenerator().Generate(),
                Server.MapPath("~/NHibernate.config"),

                // You can get all the values from your config and use here,
                // if you dont want a config file at all, or just decrypt the 
                // connection string and provide that value dictionary:
                new System.Collections.Generic.Dictionary<string, string>
                    {
                        {
                            NHibernate.Cfg.Environment.ConnectionString, DecryptConnectionString()
                        }
                    }, null);

Where the decrypt method DecryptConnectionString() gets the connection string from wherever you like, be it an encrypted config section from app.config or hard coded string.

As Corbin said, this makes it more complicated for average Joe to figure out the connection string, but it can be done, if you are going to be distributing this then I would look into not connecting to the db directly.

Look into ILMerge if you want 1 executable with dlls inside it.

Seif Attar
  • 632
  • 3
  • 9
  • Just curious - how do you distribute a exe which needs some database access without connecting to the db directly? Any pointers would be very much appreciated. Thanks. – cs0815 Mar 23 '12 at 15:36
  • It would really depends on the application/usage, an application that will only be deployed in house will have different constraints to one that end users download to their machine.Where I have implemented such a thing in the past, I got the data through a wcf service. – Seif Attar Mar 23 '12 at 18:55
  • I am using an older version so this might not apply...but I had to remove the connection string property from nhibernate.config and add it to the web.config, if I left it in then my override gets ignored. – row1 Jan 11 '13 at 01:36