Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / Windows Forms / WinForm General / January 2007

Tip: Looking for answers? Try searching our database.

Where to Store Database Connection String Info for Windows Forms Application

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Merk - 06 Dec 2006 07:28 GMT
I'm looking for a safe and maintainable way to store connection string info
(connecting to SQL Server 2005 from .NET 2.0 Windows Forms client app);
things like server name or IP address and database name. I need to provide
the client application with this info for connecting to both a test SQL
Server and a production server.

I would prefer to NOT hard-code this info into the client application, and
App.Config seems rather unsafe as the users can change it with a text
editor.

What are my options?

Thanks.
Reply to this Message
RobinS - 06 Dec 2006 07:54 GMT
We store it in the Settings under the Project Properties. We're using
Windows security, so there are no usernames or passwords involved.

You could store two connectionstrings there (type = ConnectionString,
Scope = Application), then refer to them in your code as
My.Settings.ConnectionStringTest or something like that. (That's
what it's called in VB -- C# has different syntax.)

Robin S.
-------------------------------------
> I'm looking for a safe and maintainable way to store connection string
> info (connecting to SQL Server 2005 from .NET 2.0 Windows Forms client
[quoted text clipped - 9 lines]
>
> Thanks.
Reply to this Message
RobinS - 06 Dec 2006 07:55 GMT
Of course, that puts it in app.config, which is where you
didn't want to put it. Sorry about that.

Robin S.
-------------------------
> We store it in the Settings under the Project Properties. We're using
> Windows security, so there are no usernames or passwords involved.
[quoted text clipped - 19 lines]
>>
>> Thanks.
Reply to this Message
Bruce Wood - 06 Dec 2006 18:16 GMT
> I'm looking for a safe and maintainable way to store connection string info
> (connecting to SQL Server 2005 from .NET 2.0 Windows Forms client app);
[quoted text clipped - 7 lines]
>
> What are my options?

I've been looking into this same question in my spare time. One option
recommended by Microsoft is to store the connection string in
app.config, but to store it encrypted. Here is a good place to start
reading:

http://msdn2.microsoft.com/en-us/library/89211k9b.aspx

The difficulty is that all of the detailed articles I've found on
securing connection strings by encryption refer to Web applications,
not WinForms applications. There's probably a good reason for this:
encryption and decryption can work on a per-machine basis: one way you
can encrypt a string is to do so on a particular machine in such a way
that only that particular machine can decrypt it. That works great when
the only machine running your code is your IIS server. It doesn't work
at all well if you distribute your application to all and sundry.

I've yet to come across samples for a WinForms solution. Perhaps
there's a way to encrypt a string and store it in the configuration
file, then hard-code the secret portion of the key into one's
application. Hardly textbook security, but better than plaintext.
Reply to this Message
Merk - 06 Dec 2006 19:36 GMT
I appreciate your post. Perhaps a lazy-yet-effective way to go would be to
Base64 encode the string. That would "raise the bar enough" to satisfy my
desire to simply not have clear text in App.Config while getting around the
additional difficulties of encrypting the text. Thoughts? (and yes - I know
Base64 encoding is not the same as encryption - not even close).

Merk

>> I'm looking for a safe and maintainable way to store connection string
>> info
[quoted text clipped - 31 lines]
> file, then hard-code the secret portion of the key into one's
> application. Hardly textbook security, but better than plaintext.
Reply to this Message
Bruce Wood - 06 Dec 2006 19:45 GMT
> I appreciate your post. Perhaps a lazy-yet-effective way to go would be to
> Base64 encode the string. That would "raise the bar enough" to satisfy my
> desire to simply not have clear text in App.Config while getting around the
> additional difficulties of encrypting the text. Thoughts? (and yes - I know
> Base64 encoding is not the same as encryption - not even close).

I had thought of that, too. That would defeat unsophisticated, curious
users. I'm hoping to raise the bar a little higher, though....

I'm reading the article to which I linked and there indeed appear to be
solutions for WinForms applications buried in there. Haven't read
enough to arrive at an answer, yet....
Reply to this Message
Garry - 12 Dec 2006 15:43 GMT
Did you find a satisfactory answer?

I would be grateful to know wot the details were??

Garry

>> I appreciate your post. Perhaps a lazy-yet-effective way to go would be
>> to
[quoted text clipped - 11 lines]
> solutions for WinForms applications buried in there. Haven't read
> enough to arrive at an answer, yet....
Reply to this Message
Bruce Wood - 12 Dec 2006 18:15 GMT
> Did you find a satisfactory answer?
>
> I would be grateful to know wot the details were??

I read the pages to which I linked. It appears that the only thing
available is to store an encrypted password in the App.config file and
store the key as a literal in your program, then decrypt at runtime.
I've seen several encryption schemes suggested (all built into .NET)
but I haven't actually tried it yet.

Most other (more secure) schemes appear geared for ASP.NET / WebForms,
in which the program either runs on only one machine, or runs on a farm
over which you have control. One article had a method for dealing with
the latter case: Put the key into a container file that you then
protect using ACLs, but this of course assumes that you have
administrative privileges on the client machines and have the time and
expertise to establish and maintain a bunch of ACLs.

For applications that can be deployed to any machine (including laptops
/ tablets / etc) but for which you need to store DB user IDs and
passwords, encrypting them and then storing the key as a literal inside
the app seems the only thing available. The best you can do is make the
config file difficult to read, and so ensure that the password isn't
stored in any permanent, visible location.

No, it's not secure. In particular, someone could sift through a memory
dump of the running program and find the decrypted password (and indeed
probably the entire connection string, complete with user ID and
password) in memory. However, I see no way around this. If anyone else
has any ideas, please do post them.
Reply to this Message
Shailen Sukul - 16 Jan 2007 05:04 GMT
The Patterns and Practices Crytography block has a quickstart application
based on Windows Forms that might prove useful. You can get the PP Block at:
http://msdn.microsoft.com/practices/guidetype/AppBlocks/

Signature

With Regards
Shailen Sukul
.Net Architect
(MCPD: Ent Apps, MCSD.Net MCSD MCAD)
Ashlen Consulting Services
http://www.ashlen.net.au

>
>> I appreciate your post. Perhaps a lazy-yet-effective way to go would be
[quoted text clipped - 12 lines]
> solutions for WinForms applications buried in there. Haven't read
> enough to arrive at an answer, yet....
Reply to this Message

 Rate this thread:







Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.