Is it in any way better to do this
char[] sec = { 'a', 'b', 'c'};
SecureString s = new SecureString();
foreach (char c in sec) {
s.AppendChar(c);
}
IntPtr pointerName = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(s);
String secret = System.Runtime.InteropServices.Marshal.PtrToStringBSTR(poin开发者_StackOverflow中文版terName);
than this
String secret = "abc";
or this
char[] sec = { 'a', 'b', 'c'};
String secret = new Secret(sec);
if I want to protect "abc" from beeing detected in decompiled MSIL code?
SecureString will protect your string once in memory, the string compiled into your MSIL will still be there in plain. If you need to hide sensitify information conside something like an encrypted app.config as described here: http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx
HTH Dominik
No. SecureString exists to prevent sensitive text (such as passwords) from being held in memory.
精彩评论