I created an c# application (not asp webpage) which connects to a sql 2005 server. In my sourcecode the password and userid for this sql-server is coded plain text in ConnectionString.
SqlConnection con = new SqlConnection();
con.ConnectionString =
开发者_StackOverflow "Data Source=server1;"+
"Initial Catalog=mydatabase;"+
"Integrated Security=no;"+
"User ID=admin;Password=mypassword;";
con.Open();
Is there a easy way to encrypt password or whole connectionstring, that other peoples who disassemble my tool are not able to see the password?
thanks
You should store your connection string in a config file and encrypt that section. See https://web.archive.org/web/20211020203213/https://www.4guysfromrolla.com/articles/021506-1.aspx or http://msdn.microsoft.com/en-us/library/89211k9b%28VS.80%29.aspx.
There are two ways of doing it:
- You can use Configuration Secure Section to encrypt and decrypt connection strimng from your source code:
try
{
// Open the configuration file and retrieve
// the connectionStrings section.
Configuration config = ConfigurationManager.OpenExeConfiguration(exeConfigName);
ConnectionStringsSection section = config.GetSection("connectionStrings") as ConnectionStringsSection;
if (section.SectionInformation.IsProtected)
{
// Remove encryption.
section.SectionInformation.UnprotectSection();
}
else
{
// Encrypt the section.
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
}
// Save the current configuration.
config.Save();
Console.WriteLine("Protected={0}",
section.SectionInformation.IsProtected);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
- You can Enterprise Library Data Access Application Block to perform the encryption using
RSAProtectedConfigurationProvider
orDPAPIProtectedConfigurationProvider
.
For the full article go to --> http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx
No, you can only make it difficult
It is better to let the application use a special database login which only got access to the tables/procedures necessary.
You can encrypt sections in the app.config in the same way as web.config. MS calls it Protected Configuration. Since both the enrypted data and the key resides on the same machine it only makes it harder but in theory not impossible to get to the data.
you can also store the UserName and Password in the Registry instead of storing in the config file. Read the Username and Password from registry when trying to connect to the database. Remember you have to Encrypt the Username and password while storing in the Registry and Decrypt the Username and Password while retrieving from the Registry.
精彩评论