3

I want to make a client that connects to a SQL Server and has full access.

How do I make it so others wont see the connection string for the SQL Server and access it via other db editors? I know that .NET apps can be decompiled so I'm afraid for my server.

Improve this question
1
  • Put the connection string in the config file and encrypt it. If this is a web application it is easy to encrypt using aspnet_regiis with the -pe argument; not so easy for app.config files. Alternatively you could but obfuscate your code, but I think that security by obscurity is one of the least effective methods. Commented Apr 17, 2016 at 11:50

3 Answers 3

Reset to default
5

Here's a not-so-secure reference implementation of a simple connection string encryption/decryption mechanism.

First of all, encode your connection string by using the Base64 encoding scheme.

Unencoded Connection String:

server=localhost\SQLEXPRESS2012;database=testdb;uid=testuser;pwd=supersecret

Base64 Encoded Connection String:

c2VydmVyPWxvY2FsaG9zdFxTUUxFWFBSRVNTMjAxMjtkYXRhYmFzZT10ZXN0ZGI7dWlkPXRlc3R1c2VyO3B3ZD1zdXBlcnNlY3JldA==

After this, the corresponding line in your App.config file should look like this.

<add name="TestDb" connectionString="c2VydmVyPWxvY2FsaG9zdFxTUUxFWFBSRVNTMjAxMjtkYXRhYmFzZT10ZXN0ZGI7dWlkPXRlc3R1c2VyO3B3ZD1zdXBlcnNlY3JldA==" providerName="System.Data.SqlClient" />

Finally, modify your DbContext to be able to create database connections by using the encoded connection string.

using System;
using System.Configuration;
using System.Data.Common;
using System.Data.Entity;
using System.Data.SqlClient;
using System.Text;

namespace TestApp
{
    public class TestDb : DbContext
    {
        public TestDb() : base(CreateConnection("TestDb"), true)
        {
        }

        static DbConnection CreateConnection(string dbName)
        {
            string encodedCs = ConfigurationManager.ConnectionStrings[dbName].ConnectionString;
            string decodedCs = Encoding.UTF8.GetString(Convert.FromBase64String(encodedCs));
            return new SqlConnection(decodedCs);
        }
    }
}

As you've noticed, this implementation uses the Base64 encoding scheme which can easily be reversed by the end users if they know what they are doing.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

A publicly available client with full db rights is usually never a good idea so you might want to rethink that.

Here's a nice MSDN article referring to your problem:

https://msdn.microsoft.com/en-us/library/89211k9b(v=vs.110).aspx

If you deploy the client to Azure you could also store confidential config information separate from your app from within the portal.

Some more ideas:

Retrieve the connection string via separate remote service and handle it using a SecureString instance.

Or just don't give the client a connection string at all by hiding the entire SQL db behind a service wall.

Improve this answer

Comments

1

Using certificates is always a great way to avoid having to store secrets in configuration.

SQL Azure has a new feature that allows you to use a certificate to access your database. See this link for more details: https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/ (section 7.3)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.