Saving to SQL Server database from WPF - c#

I have a SQL Server database hosted on Azure. I need to write data from multiple PC users that are using WPF app to this database.
Assuming that WPF app is used by multiple users is it safe to save connection string in app.config file? What are the best practices for saving data from a Windows app into a shared database?
I'm afraid that users can manipulate data by utilizing connection string stored in app.config.

Assuming that WPF app is used by multiple users is it safe to save
connection string in app.config file?
IMHO, it is never safe to store connection string in plain text. You're absolutely correct that users can connect to the database outside of your application and cause some serious damage to your database.
A few things that come to my mind are:
Encrypt the connection string and use that instead of storing connection string unencrypted.
Use Azure AD based access control. Recently Azure team announced availability of connecting to a SQL Database using Azure AD credentials. This way you can authenticate the users before they connect to your database. You can read more about it here: https://azure.microsoft.com/en-in/documentation/articles/sql-database-aad-authentication/.
You may also find the following article useful in securing your Azure SQL Database: https://azure.microsoft.com/en-us/documentation/articles/sql-database-security-guidelines/.

Related

Is it secure to store SQL connection strings in a SQL user defined function for a winform app?

I have googled for a long time for ways to secure the SQL connection string stored in a Winforms app. Encrypting the app.config (connection string included) of a Winforms app could be useful; however, it is not as safe as a webform app since the app is installed on user's PC. Any malicious users who want find out the connection string can reverse-engineer the app using the locally saved certificate to decrypt out the connection string.
Recently, I think of a possible way for protecting my connection string.
It is like this:
I'll create a read-only user and a read-write user using MS SQL Server Management Studio. The readonly user's connection string is located in the resource properties unencrypted. It is used to connect to SQL Server and check for the login passwords into my app.
Once the password has been checked, I will call a user defined SQL function (secret key included) which input is a ciphertext and return me the connection string to login the SQL Server with the read-write user account.
Will someone view my secret key hid in the user-defined function? Will this work to protect my connection string for logging in the read-write user account?
Thanks for all your answers. After watching TimCorey's YouTube video (https://www.youtube.com/watch?v=rFncI9yfY-E), I think I am sort of knowing that my idea is too simple. Using stored procedures in a SQL server should be a safer choice than the user defined function.
Here I would like to make a summary, as suggested by Mouse Power and Charlieface, for a win-forms app to connect to a SQL server with more safety, we can get data from a SQL server either through:
(1) executing stored procedures (with limited permission) or through
(2) web APIs wherein SQL connections are made within the server.
Conventional encryption(using ASPNET_REGIIS) of connection string in web.config of a web-forms app can not be applied directly to the app.config of a winforms app. This is because the app.config and its encrypted key are both located on the client side, so it is difficult to prevent any malicious users using reverse-engineering to crack out the connection string. Nevertheless, encrypting the connection string using a key hidden somewhere (in codes, file, or resource) is still suggested, as a preliminary protection.
Using a separate account for each connection may also be an option, but this may make the programming of SQL connections relatively more complicated.

Secure connection string from winforms app to Azure SQL

I am working on upgrading an existing winform app with some mobile clients and would really like to put the SQL into Azure instead of the current local SQL solution. I would then change the connection string in the app.config file to point to Azure.
At present one of my biggest concerns is security and therefore I would like to secure the connection string (through encryption...) so that it can't be viewed locally in the app.config file.
Does anyone know how I should go about encrypting some or all of the app.config file to key the connection string our of sight. I have assumed that since Azure SQL uses SSL I don't need to worry too much about how secure it is when the request is actually being made from the winform app to Azure.
Any help much appreciated.
Jason.
Having SQL Azure connectionstring in a app either on desktop or mobile makes no sense. The server become vulnerable as anyone can decrypt the connection string if your app can. Some other issues that i can think of would be
Changing the SQL Server location become problematic as you have location available on each client config file.
Rights management has to be done for each user who you want to provide database access.
You need to look at building an intermediate layer such as OData endpoint or Web API end point which involves a server framework like using ASP.Net.
Also look at Azure Mobile Services which can provision a database and a server component to support standard CRUD operation and host of other features.
Warning: this is not a save solution!
You can store your credentials in an encrypted file and then connect to the database by reading and decrypt the credentials from that file.
Tutorial on file encryption: look here
Connect to database:
string connectionString = myconnectionstringReadedFromFile;
//
// In a using statement, acquire the SqlConnection as a resource.
//
using (SqlConnection con = new SqlConnection(myconnectionstringReadedFromFile))
{
//
// Open the SqlConnection.
//
con.Open();
//.... your stuff
}

Installing C# Windows Form Application with Database on another system

I have developed a winform application in C#.net and using SQL Server 2008.
My application inserts and updates values into database.
Is it possible to install the application on a another system which doesn't have sql server on it?
Imagine using sql azure. Cloud based sql server. The database is never on the same physically computer. It's all down to the connection string.
With an on premise database you need to make sure the database allows external connections, maybe opening up firewall etc. then make sure the connection string is set correctly on the application to talk to external database.
You can even configure to change the connection string as required pointing at different databases depending on the individual requirements.
Scott
Yes, you can. You can access the DB remotely by referring remote DB server in connection string.
It is possible, if you are looking to run the application on machine that is running on the same Domain as the SQL Server and has privileges to the SQL Server.

Connecting to Remote Database from Windows Forms

I have a question regarding C# Windows Forms connecting to external hosted databases.
I have a GoDaddy SQLServer 2008 database that I use for my web development database purposes. I am creating a C# windows form and I need that to connect to the database. I know how to connect a C# Windows Form to a local database, so I figured that the only difference would be to use a different connection string.
The connection string I am using is as follows:
Data Source=limeoatsdb.db.8996219.hostedresource.com; Initial Catalog=database; User ID=userid; Password=password;
I replaced the values above with dummy values, but obviously in my code they have the correct values.
First of all, is it even possible to connect a C# windows form to a GoDaddy database?
Secondly, if it is possible, any ideas on what I am doing wrong?
This is not possible. GoDaddy blocks all connections to its databases from systems it doesn't manage.
This is typical of many hosting companies. It's common that you can only use their databases from their own systems, for security reasons.
If you need access to your data, you'd need to create some form of intermediary step, such as building an API in your website which could be accessed by your form.
Beyond GoDaddy blocking ports, I should point out this is a bad idea if you plan on distributing the app.
If you allow clients to connect directly to your database, you're essentially leaving the front door wide open. There'd be nothing stopping me from connecting to your DB server with SQL Management Studio and fiddling with your data.
Think of it this way: in a web app, you'd never give client-side JavaScript direct access to your database. Instead, it has to go through your app server.
I'd create some kind of server that provides an API that the client Win Form can call. The server can even be a regular web server that provides REST/SOAP/whatever APIs. A good place to start might be looking in to WCF.
Yes, you can connect to a SQL Server database on GoDaddy servers.
It's a feature I've used to access the database through SQL Server Management Studio.
Check this: https://stackoverflow.com/questions/357147/go-daddy-sql-server-2005-remote-connection
Basically, when creating your database, make sure you check the "Direct Access" option.
Obviously, this is a security issue you must be aware of.

c# mysql connectionstring question

Im working in c#, I'm using mysql .net connector to interact with a remote mysql db. Is it safe to include the connection string inside the code and work with the db directly through the command object or should I be posting to a php middle layer to hide the connection string?
Thanks in advance.
In my opinion:
You shouldn't put Your connection
string directly in Your C# code if
Your application could be
decompiled = I mean WinForms application.
If You are working on a Windows
application, then try to implement a
log-in window. Where user will pass
his/her user name and password. This
solution needs a mysql user or users
for every person that would have
access to the system.
If Your are working on a web
application, then put You connection
string inside web.config file.
If You are working on application
with unrestricted access, then I
think You should implement some
layer... but remember, never pass
SQL queries as plain text via
network, as someone could sniff it.
I would recommend some kind of
webservice.
Then the connection string is just stored in the PHP middleware layer, so what's the difference? It has to be stored somewhere.
I would keep it simple and store it in the app.config or web.config of the C# app your writing.
Couple notes about storing it:
- Production connection strings should not be stored in version control.
- A production configuration file should exist on the production servers with the connection string.
- For added security, you can encrypt your connection string (http://msdn.microsoft.com/en-us/library/89211k9b(v=vs.80).aspx)

Categories

Resources