c# protect a database connection string in Settings prevent Decompiling?

Asked 3/1, 2012 at 20:22 Answered 3/1, 2012 at 21:0

Is there anyway to prevent people from using Reflector.net to decompile my .exe c# application? I know there is a tons of post about this but I don't really care if people can see my code the only thing I want to "hide" is my database connection string.

I am currently using "Settings" in my c# to keep the database connection's info. I wanted to know if using those string in my project's Settings would prevent people from seeing it ?

I am using DotFuscator in visual studio 2008 but I heard it wasn't preventing people from decompiling my program.

I know I could use a Web Services but my server will be on linux so I guess I can't store web services on Linux.

Driggers answered 3/1, 2012 at 20:22 Comment(7)

Have a look here: #2107536 – Adiabatic 3/1, 2012 at 20:24

and here: #2478730 – Adiabatic 3/1, 2012 at 20:25

please only 1 question per post. – Chur 3/1, 2012 at 20:25

You can most certainly host web services (of many different kinds, I'm not sure what specifically you're picturing here) on Linux. But that's a topic for another discussion entirely. – Forwardness 3/1, 2012 at 20:28

I only need to hide the database connection infos... so my question is: Can people see my projects Settings' strings with Reflector.Net and other decompiling programs – Driggers 3/1, 2012 at 20:28

Posting as comment because this was closed wrongly... Take a look at this guide on this specific topic from MSDN: msdn.microsoft.com/en-us/library/dtkwfdky.aspx Keep in mind, however that this only shifts the security burned. Now you need to manage the security of the key. – Alviani 3/1, 2012 at 20:29

Don't use a direct database connection from your program unless the user is trusted to use the database directly with the same privileges. Have a service (web service, REST-service, etc) in between that you host on your own server. Linux can host services of any of those types I mentioned (use Mono if you want them in .NET on Linux). – Ballata 3/1, 2012 at 20:33

No. Even if you encrypt the connection string in the program code or in a settings file, you will need to decrypt it, and the program must necessarily contain the decryption key somewhere, which means that someone who is interested enough in finding it will find it, no matter how creative you are in hiding it. Why do you need to hide the connection string? If you are afraid that someone who has your program might call the web services directly and trigger unintended actions, you should look into how the web services are structured, what they allow clients to do, and how the authorization works, and make security improvements there instead.

Moshe answered 3/1, 2012 at 20:26 Comment(8)

Well my program is going to connect to mysql database mean if people can see the database connection's info then they can connect to it and delete all data? Should I do it in Java instead of c# ? I heard Java can't be decompiled? – Driggers 3/1, 2012 at 20:33

@Driggers You are barking completely up the wrong tree here; all code can be 'decompiled' in one way or another, and you can not expect to hide your connection details from the end user. You need to give them their own details, instead. – Fifi 3/1, 2012 at 20:37

ok so bassicly I should make a register page on a .php page and when user use the c# app he need to enter his infos ( validate by a server application ) – Driggers 3/1, 2012 at 20:40

@Kinouk: Allowing a client-side application to connect directly to a database and execute arbitrary queries is extremely dangerous unless you make sure that the database user can only access exactly the tables and columns it needs, and that the permissions make it impossible to do harmful things. This might be impossible if the application has to modify tables. (A safer possibility, though, is to use stored procedures and only allow the user to call those.) You are much better off by forcing the application to go through a web application or web service, as you describe. – Moshe 3/1, 2012 at 20:51

(To everyone else: There are exceptions, of course, such as in controlled environments, e.g. if you are making an application that will only be used by trusted employees within a company.) – Moshe 3/1, 2012 at 20:53

So I need lot of servers ? or only 1 server that check for new registers and stuff? – Driggers 3/1, 2012 at 21:18

@Driggers - 1 server is enough. It can be the same that is hosting the database. – Ballata 3/1, 2012 at 21:22

@Kinouk: PHeiberg is right. You just need to make sure that every user of the program gets their own username and password (or everyone can have the same username and password if everyone who uses the program shall be allowed to do the same things). It won't be a problem if the users find the username and password, because the only thing they can do with it is to use the web service, which will only allow them to do whatever they could do through the program. – Moshe 3/1, 2012 at 21:45

If your program has the connection string in it, users of your program can get it back out. Even if you encrypt it, they can sniff it when your program connects to the DB server.

If you don't want your users to know your DB login credentials, don't give your DB login credentials to the users. That's the only way.

You could do this by instead giving each user their own credentials, and using the permissions system in the DB server to control what they can or can not do.

Fifi answered 3/1, 2012 at 20:26 Comment(3)

Ok but how can the client communicate with the server if it doesn't contain the connections info? I'm lost lol sorry – Driggers 3/1, 2012 at 20:34

The client can't connect to the server without connection info. That's why you should do what my last paragraph said: Give each user their own login. And actually, you should not have them logging in to your database itself - you should instead have a server application - a web service, for example - and each user has their own, unique login to it. Just like you have your own unique Stack Overflow login - they don't just give you the username and password to the database. – Fifi 3/1, 2012 at 20:36

ok so bassicly I should make a register page on a .php page and when user use the c# app he need to enter his infos ( validate by a server application ) – Driggers 3/1, 2012 at 20:39

Take a look at this guide on this specific topic from MSDN. Keep in mind, however that this only shifts the security burned. Now you need to manage the security of the key

Alviani answered 3/1, 2012 at 20:45 Comment(0)

As others have stated obfuscation is no real protection for a connection string stored in a client application where the user have access to the binaries.

In order to expose your database via a web service using Mono or any other language/framework you can host on Linux you would create a web service method for each atomic operation you want to perform against the database.

An additional advantage over letting the client application access the database directly is that when the client application is using a service between itself and the database you are free to change your data store without affecting the client. You can decide to change the database schema in your database or replace the database with a NOSQL solution or even a flat file.

Having a service instead of communicating directly with the database moves the authentication/authorization requirement one step, so now you need to implement it in the service. Fortunately there is rich support for authentication in a web service.

Ballata answered 3/1, 2012 at 21:0 Comment(0)

Recommended topics

Hot tags