I am using Visual Studio 2010 and Microsoft Access 2010 to develop a desktop application using C# programming language.
connection string is:
connectionString="Provider=Microsoft.ACE.OLEDB.12.0;Data
Source=|DataDirectory|\KBank.accdb;Persist Security Info=False"
and i give it the password in the C# code as follows:
public string GetConnectionStringByName()
{
string returnValue = null;
ConnectionStringSettings settings = ConfigurationManager.ConnectionStrings["Info_Bank_Project.Properties.Settings.KBankConnectionString"];
if (settings != null)
returnValue = settings.ConnectionString + ";Jet OLEDB:Database Password=blablabla";
return returnValue;
}
i have used the database in the project in just one simple "Select" query.
so, concerning to the security issue..
can any one decrypt the access database or see the password?
and what is your suggestion to make it hard for any one to see the database data
This is little old thread, My experience on this issue might help someone.
You can create C++ DLL with the strong password located inside it, then call it from C# app to encrypt/Decrypt methods with the data base file name.
No, your data is not safe, since anyone can inspect your code using an MSIL decompiler and retrieve your connection strings from your app. There will be a point at some point in your process where someone has the possibility of seeing that password, whether it's in memory, in reflection, or something else.
If you have data that is in the possession of someone other than you, not on your servers, then you can assume you no longer have control over that data.
Now, with all that said, you can make it harder for them to get to by encrypting the database file and obfuscating your code.
Why not just put the password in your app.config and encrypt the app.config.
See here
Related
Before I begin, I've done good bit of research and googling. I think I didn't find the perfect answer because I'm probably a noob :)
However, I've created a POS software using Windows C# form application and it's working perfectly fine. Now, this application is using MySQL as database server.
I've been hard-coding the database server credentials on app.config file.
Code for the app.config file :
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<connectionStrings>
<add name="cString" connectionString="Server=localhost;Database=adittoenterprise;port=3306;Uid=root;Pwd=root123" providerName="MySql.Data.MySqlClient"/>
</connectionStrings>
</configuration>
Now I'm trying to create a package for other users to use. Definitely I need to come up with solution where the user can provide
host
username
password
During the installation and the application should store this somewhere (that is where my knowledge is lacking) and use it on the run time.
Any alternative solution is most welcome.
Thanks everyone in advance for bearing with me and helping me :)
Your installer needs to modify the app.config file. There are many different types of installers available and some of the more fully-featured packages can modify XML files such as app.config during installation.
It's also possible to modify the connection string at runtime (though since it's an application-scope setting, not a user-scope setting, that's probably not a good idea) as long as you do it before any database objects attempt to use it:
Properties.Settings.Default["cString"] = "new connection string";
... so you could potentially distribute your app.config with a blank connection string and prompt the user to provide those values the first time the application is run. You'd have to save the new value into a user-scope setting, though, in order for Save() to work:
Properties.Settings.Default.CustomConnectionString = "new connection string";
Properties.Settings.Default.Save();
(Note that I am a computer science student and still learning)
EDIT the links are not useful for your case as they only work with IIS, but still I would not save passwords in plaintext to a file such as the other answer suggested.
It should be considered bad practice to save the password especially plain text. Usually if an application starts it would require the user to authenticate to get access to the database. Of course you can store the password, but doing that properly you should look at http://msdn.microsoft.com/en-us/library/hh8x3tas.aspx and http://msdn.microsoft.com/en-us/library/89211k9b%28v=vs.80%29.aspx
Then if your application start for the first time your application can create/edit the config file and store the values. Note that your application cannot change it's own app.config at runtime so it would make sense to create a web.config for you database connection.
I am very new on c#/Visual Studio and I'm having difficulty on running my test methods. It requires us to connect to a database server resulting of getting always a failed result since we can't connect to the database.
We tried to modify the connection string to include our working credentials so that we can connect to the database server but the app.config file was encrypted.
Please see below screenshot of example encrypted line. How can we modify that?
As I see it I think the connectionstring is encrypted outside the project and pasted here. I am saying this because IMO encrypting just the connection string value and keeping the key in plain text is not possible from within the project. It is possible to encrypt the entire section within a config file.
Check the method which is using this connectionstring. I believe The method might be using some form of decryption. Use that to decrypt the string, change the values as required, encrypt it again and paste it in the above location.
You can also edit your question to include the method which is using the connectionstring so that I can analyse it and give you a better solution.
Hope this helps.
I have a requirement to protect my Web.config file from malicious users accessing our webserver & junior developers in team. I have used RsaProtectedConfigurationProvider to successfully encrypt & decrypt our file. However, decypting the connection string is as easy as accessing it from withing my application, no matter if it is encrypted or not
protected void btnShowConnectionString_Click(object sender, EventArgs e)
{
lblMessage.Text = WebConfigurationManager.ConnectionStrings["MyTestConnection"].ConnectionString;
}
How do I secure my connection string to avoid work arounds like these?
You cannot do this with standard solutions.
To do such protection you should write your own wrapper around standard library using this connection string, that will decrypt connection string from webconfig.
And you should protect your wrapper from decompiling with something like Sentinel Hasp. If you don't protect your wrapper it will be simple to get encryption algorithm and decrypt connection string.
But it will be simpler to do not write production connection strings to developers webconfig. Use developer enviroment for developing and write production enviroment connection strings when deploying to production enviroment.
You can read this link about secure string connection, recommended solution by msdn
link : http://msdn.microsoft.com/en-us/library/89211k9b(v=vs.80).aspx
IMHO, the "workaround" you are mentioning isn't really a workaround, rather, it is what it is.
Your application (web or otherwise), must be able to decyrpt the information so that i can actually make the connection. Unless you are using Windows Authentication to your SQL server, user/pwd are always "there"...the nagging question I have is why/how would such code exist in your application (in the first place)?
As noted above in previous answers, separate your development environment from production - perhaps only have production config transforms in production environment.
I am using an OdbcConnection to communicate with a DB2 database ex.
using (var conn = new ODBCConnection("Database=Database;UID=user;PWD=password"))
{
conn.Open();
…
}
I am worried that people with access to the machine may try to steal the database credentials. I have obfuscated the code but is it possible to use a packetsniffer to get the connection string? If so is there a way to protect against this?
If someone has access to your assembly or executable, it's possible to use ildasm to read the intermediate language that C# gets compiled into (CIL). Even if you obfuscate your code, it's pretty easy to retrieve String literals.
Obfuscators will typically encrypt String literals, and inject an extra method call to decrypt them before they are used. That means it's possible to get the implementation and keys of the decryption routine, and run them yourself.
So, to answer your question, you don't even need to use a packet sniffer to get the creds, you can do it by just examining the IL.
you can store your connecrion string in App.Config/Web.Config then you can encrypt your connection string
http://www.asp.net/web-forms/tutorials/data-access/advanced-data-access-scenarios/protecting-connection-strings-and-other-configuration-information-cs
http://msdn.microsoft.com/en-us/library/zhhddkxy(v=vs.100).aspx
I am New to the more enhanced features of the C# and .NET coding practices
I have been trying to Find A solution to using a particular method in C# for Winforms, Windows Services And ASP.NET web Applications where you program your connection to SQL and Convert the C# Code file to a dll to be used in your project.
The idea is to Create the Connection and Convert it to a dll so that every time you start a function and need to make a database connection you will just write it where you say
Function ABC
{
//VB Version would be like this as i have seen this
Dim DCDLL as New Dataconn
//Where 'DCDLL' is the DLL file which is being declared as a new dataconnection
//C# Version would be Alon these Lines
SQLConnection DataConn = New SQLConnection(DCDLL)
}
I have only seen the VB Code version of the Call so I am not keen on the C# Method that this would be done
Meanwhile The DLL Holds all the other code like
string ConnectionString =
"Data Source=Datasource; UID=User; PWD=Pass; Persist Security
Info=True; Initial Catalog= Catalog";
Dataconn = new SqlConnection(ConnectionString);
Dataconn.Open();
the purpose of the DLL would be to handle the connection to the database, Open it catch errors if dataconnection is not successfull and close the connection if needed so that you dont have to programatically do this every time. Also it is only responsible for the connection therefore you can use a function to call the connection execute the procedure and whatever else is required.
The idea of using a DLL is just to make the Connection settings to the Database a little more secure, the Connection obviously wont become super secure but it adds more security than having the Code in you code pages etc.
i have spoken to and seen people use this type of method but my research on how to achieve this via google and other sources does not seem to understand what i am searching for.
I am trying to understand that when i code this file how it must be done as to ensure that it handles the database connection correctly without issues and doesnt break.
If anyone can Give me Examples in C# of how to do this it would be appreciated or if you know of any pages that have explained how to achieve this i would be most grateful for your assistance
You should put your connection strings in app.config / web.config, and use c# to get the values...
Get ConnectionString from app.config in c#
You can also encrypt the connection string...
http://msdn.microsoft.com/en-us/library/89211k9b(v=vs.80).aspx