 |  |  |  |  |  |  |  |
ConnecionString
Please support our C# advertiser: Intel Parallel Studio Home
Thread Solved |
•
•
Join Date: Oct 2008
Posts: 56
Reputation: 
Solved Threads: 1
Junior Poster in Training
Hello!
I'm having the following problem:
My application uses an SQL sever, and I entered the connectionstring in a .settings object. It warned me, that it's a security risk, etc. When I publsih my app, two files would be deployed, an .exe and a .config file, which contains all of the configurations of my application, including the user name and password, which I don't like to share with the users of my application. Is there any way to hide these settings? Or should I hard-code the string?
Thanks in advance!
I'm having the following problem:
My application uses an SQL sever, and I entered the connectionstring in a .settings object. It warned me, that it's a security risk, etc. When I publsih my app, two files would be deployed, an .exe and a .config file, which contains all of the configurations of my application, including the user name and password, which I don't like to share with the users of my application. Is there any way to hide these settings? Or should I hard-code the string?
Thanks in advance!
Will the users of your application be connecting to your SQL server or is the intent for them to connect to their own server?
The following presumes they will be connecting to your server:
Hard coding the connection string makes it a little harder to find, but unless you're encrypting it somehow, it would show up if the application file was scanned for text.
Some form of light encryption along with hard coding makes the connection information non-trivial to find, but it would be even more secure if the connection the program used was NOT an administrator connection for the server.
There might be other connection types available that might not require the program to have a user name and password. (I'm thinking windows authentication, but that might not always be available or might not be a viable option.)
The following presumes they will be connecting to your server:
Hard coding the connection string makes it a little harder to find, but unless you're encrypting it somehow, it would show up if the application file was scanned for text.
Some form of light encryption along with hard coding makes the connection information non-trivial to find, but it would be even more secure if the connection the program used was NOT an administrator connection for the server.
There might be other connection types available that might not require the program to have a user name and password. (I'm thinking windows authentication, but that might not always be available or might not be a viable option.)
•
•
Join Date: Oct 2008
Posts: 56
Reputation:
Solved Threads: 1
Junior Poster in Training
Thank you for answering!
Then I write down the whole problem, maybe there's a better way to get around.
In fact, it's all about licensing. I thought I'd create a database for license keys, and when the user enters his own, the app would compare the one entered with the elements of the database, and if there's a match, it would allow usage. Else, it keep asking for another key.
So I would absolutely not want to let anybody near that database, because it contains all the licenses. The connection string should never be seen, because with that, you could access all the license keys.
Any other suggestions?
Then I write down the whole problem, maybe there's a better way to get around.
In fact, it's all about licensing. I thought I'd create a database for license keys, and when the user enters his own, the app would compare the one entered with the elements of the database, and if there's a match, it would allow usage. Else, it keep asking for another key.
So I would absolutely not want to let anybody near that database, because it contains all the licenses. The connection string should never be seen, because with that, you could access all the license keys.
Any other suggestions?
So what you really want is a verification that a specific record (license) exists and you would never want anyone to be able to list or add records.
I'm not sure what resources you have available, but you could implement something like that through web service or a web page. The program would submit the license information and the service would confirm or deny the license.
You might also need to take steps to prevent someone from writing a program to attempt to test for all possible licenses. You might also want to work in a verification that the service that replied was the actual service and not a proxy that always responded with "that's a good license".
The topic is now closer to secure verification of credentials. Similar to the way users authenticate to a network. You might find more commentary and/or examples of how others are doing it if you search under that topic.
I'm not sure what resources you have available, but you could implement something like that through web service or a web page. The program would submit the license information and the service would confirm or deny the license.
You might also need to take steps to prevent someone from writing a program to attempt to test for all possible licenses. You might also want to work in a verification that the service that replied was the actual service and not a proxy that always responded with "that's a good license".
The topic is now closer to secure verification of credentials. Similar to the way users authenticate to a network. You might find more commentary and/or examples of how others are doing it if you search under that topic.
•
•
Join Date: Dec 2003
Posts: 2,414
Reputation:
Solved Threads: 123
A web service would DEFINITELY be the way to go. Then, all you would have to have in a configuration file or hard-coded is the address of the web service you're connecting to. That's a much safer alternative than connecting directly to a database. You can even encrypt the connection between the client and the web service if you're using WCF...
Alex Cavnar, aka alc6379
 |
Other Threads in the C# Forum
- Previous Thread: ComboBox Events
- Next Thread: stop method from executing
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest C# Posts
- Today's Posts
- Unanswered Threads
.net access algorithm array asp.net barchart bitmap box broadcast c# check checkbox client combobox control conversion csharp custom database databaseconnection datagrid datagridview dataset datetime dbconnection degrees design development draganddrop drawing encryption enum event eventhandlers excel file firefox form format forms function gdi+ grantorrevokepermissionthroughc#.net httpwebrequest image index input install java label libraries list listbox loop mandelbrot marshalbyrefobject math mouseclick movingimage mysql mysql.data.client operator path photoshop picturebox pixelinversion post programming radians regex remote remoting resourcefile richtextbox server sleep socket sql statistics stream string study system.servicemodel table tcpclientchannel text textbox thread time timer update usercontrol validation visualstudio webbrowser windows winforms wpf wpfc# xml
