Re: Storing Connection String

Hi John,

"John Stivenson" <JohnStivenson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:911A0572-76CC-4C3E-ADAA-85DC0E6215A2@xxxxxxxxxxxxxxxx
It's a desktop application.

I don't want to use the integrated security because I don't know in which
environment the application will be used.

My idea is to have just one database user whose username and password would
be hard-coded in the application. The connection string would be always the
same (except server name, which is stored in config file or registry). The
authentication would be application-managed (storing usernames/passwords in
the database).


I hope you understand that this is very very weak protection. And a very problematic one. Since you have only one database connection credentials it means that this credentials can do everything (that application can do) to the database. Which means that if an user get hold of connection string he/she can issue sql statements at his/her will to the database - and getting hold of such connection string is not hard.
Anyway, in the given context I would encrypt username & password and put them in config file (in case they change). Encryption key might be a certificate stored in windows certificate store.
As per database I would use only stored procedures (and maybe views) to and deny access to tables (to mantain integrity and to protect sensitive dasta if any).

Where in code could I store the connection string in order to be accessible
from everywhere (table adapters in several datasets and various command
objects)?


In a static property.

Btw, how do I implement separate data tier?

You create a separate assembly which resides on the server and does database operations. Front end communicates with this assembly remotely (using remoting, WCF, web services or whatever) and sends datasets (or any other form of data - but doesn't issue any sql statements) forth and back.

--
Miha Markic [MVP C#, INETA Country Leader for Slovenia]
RightHand .NET consulting & development www.rthand.com
Blog: http://cs.rthand.com/blogs/blog_with_righthand/

.

Relevant Pages

  • Re: ASP.NET & Integrated Security setup?
    ... The issue is that if an rogue aspnet app is run, ... > I've read quite a few places where it recommends you use> integrated security in your connection string. ... > I tried this in test page to connect to the Northwind> database by setting my connection string to:> ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Cannot display ODBC login prompt - want to connect without DSN
    ... database without knowing anything beforehand except the driver name. ... need a connection string and different data sources use different connection ... ODBC, ADO, and VB Script. ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Cannot display ODBC login prompt - want to connect without DSN
    ... Depending on the database you are using, ... you need to know the basics of the connection string and can populate ... no. the login box which you are talking about was provided to ODBC ... When the user exits the dialog box, the driver connects ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Change Connection String at runtime.
    ... easily moved to another database, or have versions for each database. ... connection string to the connectionobject before the connection opens. ... *The Server IP number is different for every deployment. ... It appears that the generated code uses the application settings to ...
    (microsoft.public.dotnet.framework.adonet)
  • RE: ASP.Net not impersonating for WSE 2.0
    ... This causes calls made by the service (which call into the database ... >security from anywhere in my web services.* On some of my webservices I ... >has a column called username and one called password. ... This query is also run with Integrated Security. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)