2

as you guys know that the Hardcoded coding in exe file can easily be seen through some Softwares (e.g. code reflector), I want to know whether how can I Hide my connection string having information of sql server username and password to connect to database in windows forms application from being seen through any code reflector so that any one else Except me may never be able to use my application without my permission.

kashif
  • 3,713
  • 8
  • 32
  • 47
  • 1
    what about encapsulating your cs in a dll –  Jul 12 '12 at 21:29
  • 1
    Just don't. Use Integrated Security = SSPI in the connection string so the secure Windows authentication is used. This is something you need to leave up to the LAN admin anyway, don't get involved in your customer's security policies. – Hans Passant Jul 13 '12 at 13:11
  • @imrankhan did you mean obfuscating? or even better http://www.remotesoft.com/salamander/protector.html – Jeremy Thompson Jul 14 '12 at 01:45
  • @HansPasant I have designed my application for a coaching center which has more than 20 branches in the city. If i use integrated security = true, they will copy my database and attach it in sql server in a different branch and easily be able to run my application. i think using a uid and pwd is however better than what you suggested because atleast they will need to use code reflector to know the uid and pass in cs – kashif Jul 14 '12 at 09:52

1 Answers1

3

As commented, you are better off using Integrated Security, however if you are targeting a SQL Server with say Mixed Mode Authentication you could use the Data Protection API to encrypt the connection string in the app.config. Here is a great article on the topic:

Protecting application secrets, such as database connection strings and passwords, requires careful consideration of a number of pertinent factors such as how sensitive the data is, who could gain access to it, how to balance security, performance, and maintainability, and so forth. This article explains the fundamentals of data protection and compares a variety of techniques that can be used to protect application settings. The author discusses what to avoid, such as hiding keys in source code and the use of Local Security Authority. In addition, he presents some effective solutions such as the Data Protection API.

Safeguard Database Connection Strings and Other Sensitive Settings in Your Code

How To: Use DPAPI to Encrypt and Decrypt Data (C#/VB.NET)

Jeremy Thompson
  • 61,933
  • 36
  • 195
  • 321
  • 1
    the 2nd link provided by u seems me an acceptable solution for that but if some body can c the cs inside the exe file by code relector can he not c the coding I will use for encryption or decryption??? – kashif Jul 14 '12 at 22:14
  • If you expect people to reverse engineer your exe & dll's you should obfuscate your code and come up with a bunch of strategies to make it too much of a challenge: http://stackoverflow.com/a/2611489/495455 The DPAPI has [two modes](http://msdn.microsoft.com/en-us/library/ff649248.aspx), [Machine and User Store](http://www.devproconnections.com/article/security-development/dpapi-storage-options). `Secrets` encrypted with the machine key can be decrypted by any process with access to the machine key. `Secrets` encrypted with the user key can be decrypted by any process started by the same user. – Jeremy Thompson Jul 15 '12 at 01:46
  • I asked you this question in July. Now I want to know something about the same question. If I encrypt some data using UserKey and then want to decrypt it in another machine, How will I create the same user with the same profile in another machine – kashif Oct 25 '12 at 13:17