Re: Storing Connection String
- From: "William \(Bill\) Vaughn" <billvaRemoveThis@xxxxxxxxxx>
- Date: Thu, 4 Jan 2007 17:41:04 -0800
If enabled, you can encrypt the traffic to the SQL Server.
--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
INETA Speaker
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
-----------------------------------------------------------------------------------------------------------------------
"John Stivenson" <JohnStivenson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DA2D4CCB-2574-490A-A55F-BC70B443AA01@xxxxxxxxxxxxxxxx
I would like to be able to manage users (e.g. add new users) from my
application.
I could store encrypted username and password in code (instead storing
them
in plain text) and decrypt them on the fly, but I suppose that they are
transferred unencrypted over the network and this is the weakest point.
How
can the malicious user otherwise find out the password in this scenario?
"Miha Markic [MVP C#]" wrote:
"John Stivenson" <JohnStivenson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:911A0572-76CC-4C3E-ADAA-85DC0E6215A2@xxxxxxxxxxxxxxxx
It's a desktop application.
I don't want to use the integrated security because I don't know in
which
environment the application will be used.
My idea is to have just one database user whose username and password
would
be hard-coded in the application. The connection string would be always
the
same (except server name, which is stored in config file or registry).
The
authentication would be application-managed (storing
usernames/passwords
in
the database).
I hope you understand that this is very very weak protection. And a very
problematic one. Since you have only one database connection credentials
it
means that this credentials can do everything (that application can do)
to
the database. Which means that if an user get hold of connection string
he/she can issue sql statements at his/her will to the database - and
getting hold of such connection string is not hard.
Anyway, in the given context I would encrypt username & password and put
them in config file (in case they change). Encryption key might be a
certificate stored in windows certificate store.
As per database I would use only stored procedures (and maybe views) to
and
deny access to tables (to mantain integrity and to protect sensitive
dasta
if any).
.
- References:
- Re: Storing Connection String
- From: Miha Markic [MVP C#]
- Re: Storing Connection String
- Prev by Date: Re: DataGrid only sets HasChanges to true if another row is selected
- Next by Date: Re: saving ad-hoc sqlserver scripts via Visual Studio
- Previous by thread: Re: Storing Connection String
- Next by thread: RE: Tips for improving efficiency?
- Index(es):
Relevant Pages
|
