Hello!

I'm having the following problem:
My application uses an SQL sever, and I entered the connectionstring in a .settings object. It warned me, that it's a security risk, etc. When I publsih my app, two files would be deployed, an .exe and a .config file, which contains all of the configurations of my application, including the user name and password, which I don't like to share with the users of my application. Is there any way to hide these settings? Or should I hard-code the string?

Thanks in advance!

Will the users of your application be connecting to your SQL server or is the intent for them to connect to their own server?

The following presumes they will be connecting to your server:

Hard coding the connection string makes it a little harder to find, but unless you're encrypting it somehow, it would show up if the application file was scanned for text.

Some form of light encryption along with hard coding makes the connection information non-trivial to find, but it would be even more secure if the connection the program used was NOT an administrator connection for the server.

There might be other connection types available that might not require the program to have a user name and password. (I'm thinking windows authentication, but that might not always be available or might not be a viable option.)

Thank you for answering!
Then I write down the whole problem, maybe there's a better way to get around.

In fact, it's all about licensing. I thought I'd create a database for license keys, and when the user enters his own, the app would compare the one entered with the elements of the database, and if there's a match, it would allow usage. Else, it keep asking for another key.
So I would absolutely not want to let anybody near that database, because it contains all the licenses. The connection string should never be seen, because with that, you could access all the license keys.

Any other suggestions?

So what you really want is a verification that a specific record (license) exists and you would never want anyone to be able to list or add records.

I'm not sure what resources you have available, but you could implement something like that through web service or a web page. The program would submit the license information and the service would confirm or deny the license.

You might also need to take steps to prevent someone from writing a program to attempt to test for all possible licenses. You might also want to work in a verification that the service that replied was the actual service and not a proxy that always responded with "that's a good license".

The topic is now closer to secure verification of credentials. Similar to the way users authenticate to a network. You might find more commentary and/or examples of how others are doing it if you search under that topic.

A web service would DEFINITELY be the way to go. Then, all you would have to have in a configuration file or hard-coded is the address of the web service you're connecting to. That's a much safer alternative than connecting directly to a database. You can even encrypt the connection between the client and the web service if you're using WCF...

Thank you very much for the answers, then I start writing that service.

This question has already been answered. Start a new discussion instead.