i am making a simple c#.net winform application with a form1, which will connect to sql server.
i want that before establishing a connection to sql server , the application asks the user to enter the login name & password to connect.
for this what should i do:
take the login name & password in two text boxes & pass them the to the connection string
or
should i pass them to the app.config file & then use the string from app.config file in the form1.cs?
will this be ok with the security issues? if not, then what are the other ways of implementing this task?
I would do this:
use a SqlConnectionStringBuilder component
define things like server name, database name etc. from your app.config
that component also has two properties for user name and password - fill those from a dialog box where you prompt the user for this information
that SqlConnectionStringBuilder then gives you the proper connection string to use for connecting to your SQL Server
Update:
My suggestion would be to store the basic connection string like this:
<configuration>
<connectionStrings>
<add name="MyConnStr"
connectionString="server=A9;database=MyDB;" />
</connectionStrings>
</configuration>
Then load this "skeleton" connection string (which is incomplete - that alone won't work!) into your SqlConnectionStringBuilder:
string myConnStr = ConfigurationManager.ConnectionStrings["MyConnStr"].ConnectionString;
SqlConnectionStringBuilder sqlcsb = new SqlConnectionStringBuilder(myConnStr);
Then grab the user name and password from the user in a dialog box and add those to the connection string builder:
sqlcsb.UserID = tbxUserName.Text.Trim();
sqlcsb.Password = tbxPassword.Text.Trim();
and then get the resulting, complete connection string from the SqlConnectionStringBuilder:
string completeConnStr = sqlcsb.ConnectionString;
using(SqlConnection _con = new SqlConnection(completeConnStr))
{
// do whatever you need to do here....
}
Pass the login to the connection string. app.Config is not a place to store user interaction.
Another way of implementing it might be to authenticate on the SQL server with Windows authentication. That way the local Windows user can have certain security privileges on the database and the user of the application would net necessarily have to enter any credentials.
What are the credentials used for? Are they used for establishing a connection with the database, or to access a user account entry and security privileges in the application?
For securing strings, use SecureString Class.
Sql authentication details is always kept seperate from application authentication details(There are exceptions...eg: ur making ur own version of sql server client)
Keep your database connection details in app.config.
It should Ideally contain one user with app level restrictions enabled.
The Login you speak about is an authentication module which exists in C#. eg: windows authentication,forms authentication etc.
Related
I have a connection string:
public static string str = "Data Source=SAI-7FD4677573D\\SQLEXPRESS;Integrated Security=True;Initial Catalog=Libary;";
But getting an error:
Cannot open database "Libary" requested by the login. The login failed.
Login failed for user 'SAI-7FD4677573D\Administrator'.
How can I write a connection string?
public static string str = "Data Source=SAI-7FD4677573D\\SQLEXPRESS;Integrated Security=False;User Id=SAI-7FD4677573D\Administrator;Initial Catalog=Libary;";
Please help what should I try?
It might be a typo. shouldn't be Library instead of Libary?
SQL Server can support two kinds of user authentication:
Windows based authentication & user/password authentication.
* Windows based authentication (also called "Integrated security)) is using your Windows login as medium of athentication. In this case you shouldn't proveide "User Id" and "Password" fields in the connection string and the "Integrated Security" param must be set to "true".
* Username/Password based. If you want to use explicitely defined username & password to access SQL Server database, "User Id" and "Password" fields in the connection string have to be specified and the "Integrated Security" param must be set to "false".
Bottom line - Your connection string contains both "Integrated security=true" and "User Id" param provided, which is an error. In case you need Windows authentication - remove User Id, otherwise add "Password" param and set "Integrated security" to false
Based on your data source, you seem to be using SQL Server Express. What you will need to do in order to use integrated security is to use SQL Server Management Studio to setup a login for your Windows user account and then create a "user" account for that login on your database.
What user account did you use to install SQL Server Express on your computer? It was probably a local administrator. So, log off, and log back on as that local administrator (or any local administrator or user who is in the "Administrators" group on your PC), and run SQL Server Management Studio (alternatively, you could hold down the shift key, right-click on SQL Server Management Studio, and select "Run as different user", and then enter your local administrator account). Then go to the "Security" > "Logins" section in "Object Explorer", right-click and select "New Login", then click "Search" and enter the local user account.
Next, select "User Mapping" under "Select a page" on the left-hand side, and put a checkmark next to your database in the list. In the database role membership below that, you can configure the base roles that your user will have, if desired.
I have been trying to understand what using trusted_connection=true in a SQL Server connection string (from within C#) means. I understand that it uses the current Windows user credentials to connect to the database. But does it mean the database server and the current user can be in different domains, same domain or in different but trusted domains ?
trusted_connection=true means Integrated Security=SSPI;
If this is not present in connection string then you need to specify userid and password in connection string as:
server=yourservername;database=yourdatabase;user id=YourUserID;password=password
If any of two (Trusted_Connection=true or Integrated Security=true/SSPI) is present , then the Windows credentials of the current user are used to authenticate against SQL Server and any useriD=userid and password=password text will be ignored.
Whichever number of users may present and fromwhichever user you may have logged in, it will ignore the stuff if:
Trusted_Connection=true
I got this error message while connecting my app with the database at my website.
If i try using XAMPP using my computer, its work well.
FYI, the username and password is same as username and password that i created using XAMPP.
and also grant the privileges.
this is the connection string. for example the server is 174.125.80.140, the database name is myDB, the Uid is alfred, and the password is Alfred111.
MySqlConnection conn = new MySqlConnection("Server=174.125.80.140; Database=myDB;Uid=alfred;Pwd=Alfred111;");
I'm using MySQL client version: 4.1.22.
I'm still can't access the database. is there any solution??
If you are using MySQL workbench,
1) Start the workbench
2) click on the option "Users and Privileges" under SECURITY
3) click on add user (for the specific user), this is more secure because it lets you handle who has access over your database and lets you control access.
however if you want to grant access a large number of users for an application like c# application, then hard-code the username and password in the application, from the user privileges that you have set above.
Hope this helps (^_^)
Yes, you may have supplied the user and password correctly but have you configure the server (new server) to accept Uid=alfred;Pwd=Alfred111;?
Adding User in MySQL Server
If your app is on a different host that the MySQL server then you most likely need to add a new user granting permission for that host. Your alfred user is probably allowed by localhost and nothing else. Try CREATE USER 'altred#'%' identified by 'password'; and then grant that user privileges on myDB.
You can replace % with a specific IP address or hostname as well, % allows the connection from any host which is not necessarily safe.
You can try the following query to see the allowed user/host combos:
SELECT `User`, `Host` FROM `mysql.user`
Hope that helps.
I created a desktop application in C#/WPF which connects to a SQL Server 2008 instance through a constant connection string specified in code as follows (for testing purposes):
private string GetConnectionString()
{
//test
return "Data Source=[server IP]; Initial Catalog=[database name]; User ID=[user ID]; Password=[smart password];";
}
The application will be used by various users and will be deployed via ClickOnce, a .zip archive or a custom installer. It also has a separated custom login functionality by requesting an application-access username and password.
Which is the best practice to store the connection string details for my desktop application (IP, database, SQL Server user, password)? If the connection string changes over night, which is the best method to update it without forcing users to update to the latest version of my application? Users should not be able to see/intercept/decompile the connection string, so I guess I must use some sort of encryption.
Do you have any kind of suggestion for my inquiry?
Even if you compile your connection strings into the application, they still can be viewed using the Ildasm.exe (MSIL Disassembler) tool because strings are a part of assembly's metadata.
Maybe this question can help you.
In a desktop application, you can't prevent a determined user from seeing the connection string. Even if you use encryption, a determined user will be able to find and use the encryption key.
If the client is connecting to the database then the connection can be hacked.
This is a sample of connection data in App.Config
<appSettings>
<add key="dbServer" value="svr"/>
<add key="dbDataBase" value="db1"/>
<add key="dbUser" value="sharedUser"/>
<add key="dbPassword" value="easyPassword"/>
</appSettings>
Need a reference to system.configuration
string SvrName = ConfigurationManager.AppSettings["dbServer"];
string DBName = ConfigurationManager.AppSettings["dbDataBase"];
string DBUser = ConfigurationManager.AppSettings["dbUser"];
string DBPassword = ConfigurationManager.AppSettings["dbPassword"];
As for security the answer is a 2 tier application where only the secure server side code connects to the database. This code sample from server side code.
The other benefits of server side is repeated queries from the same connection can gain from indexes in memory from prior query.
You could salt and hash the password read from the AppSettings and obsfuscate the application but you would have to use a static salt so it could be hacked. It would just slow down the hacker.
You need to add an "Application Settings" file to your application. Just right click on your solution -> add -> find something similar to "app configuration". In order to do this you will need some kind of external config file to store the connection string. You could even use a simple file. If worried about people finding the file, you can always encrypt the string and decrypt it in your app.
My opinion is that the safest solution is to have a local DNS entry point to the current SQL machine and the authentication to be Windows authentication.
For example : SQLMACHINE host name pointed to 192.168.1.3 in the DNS server.
This way if the name/IP of the SQL machine changes, only the DNS server needs updated (and possibly the local DNS caches to be invalidated).
Having Windows authentication means that no password will be stored on the local machine so you can safely store the connection string in the .config file with no worries.
My 2 (euro)cents.
I write a win app,and i create my database on the server by codes.now every client on local network can't login to my database and this error occured
:"cannot open database "test" requested by the login.the login failed for user "farzane".
the connectionstring for to make my database is:
ConnectionString=#"Data Source=SERVER\SQLEXPRESS;Initial Catalog=master;Integrated security=SSPI;Persist Security Info=False";
and it's my connection string for open my database:
ConnectionString=#"Data Source=SERVER\SQLEXPRESS;Initial Catalog=test;Integrated security=SSPI;Persist Security Info=False";
how can give permission for logining to my database to any client with codes???
thanks in advance for any help.
I would check two things here:
Ensure that your SQL Express install allows remote connections. (Simple to check using SQL Server Studio Manager).
You are using trusted authentication in your connection string. You have to explicitly give users on your domain access on the database. You will have to this in SQL Server.
are you using a domain for the network ?
if yes then make sure that the user name has access to the SQL server
if you're using a workgroup then it won't work... just create a user on the sql server and use the sql server auth at the server and connection string
Points i concluded:
First of all the users who are going to create the database , must be authorized to use master database. So ask your admin to allow permission to farzanne.
If you(farzanne) are admin, set farzanne to create databases permission to true. Or the other users that might create dbs. Also, if you allow all users then it will be difficult to handle, your application, so be alert.
What is the need of the dynamically createing database from application. Is this a part of setup or deployment or you are creating an isolated space that is different user different database.