I once, long ago, on this very forum made a program that I "thought" was hacker proof, but some guy dissasembled the code and somehow read the password I stored in a variable.

My question is, is it safe to put a connection string in a variable in my code ( Not that there is any way around it that I can think of) that connects to a remote database on the web?.

I would hate for someone to simply decompile my code and read the connection string and then easily hack my database.

Is there any way around it, or to make it more secure?

Thanks!:wave:

You could have per-user security on your DB server.

Alternatively load the string in from an encrypted file (but then again that just moves the password problem elsewhere unless you have a licensed exe which is unique to that machine).

Might not be a bad thing to read for you.

http://vbwire.com/brief.asp?11836

If you're using .NET 2.0 then you can store your connection string in the config file and encrypt it.

I am using 2.0.

BTW I read that article bovine and it was quite informative.


Thanks for all your suggestions guys.

Arc,

Why does the client application need access to modify data in the database? Further, why does the client application directly access the database? I'd suggest using a server application to process client requests. Only the server application would have access to the database.

Also, do you have control over who has your client application?

Encrypting the connection string is a good step forward, but its best not to have the connection string in any client application at all.

I have a website that has individual client accounts. In this website is a database that holds information for the clients.

The point of this desktop app is to install on the clients computer, read files on the cleints computer then send information in those files to their account in my website.


I do have control over who gets the application (only people who are signed up to my website, who are business owners or managers etc..) I don't think any of them would even try to decompile my app or do anything malicious, but just incase the app got into the wrong hands (like a competing company) I want to make sure that I am protected.

All the client application needs to know is the user id and password hash. It reads the data off the client machine, makes a request to the server with the attached user id and the data associated with the request.

The server application authenticates the user id and password hash and then processes the data. Only the server application needs to know the internals of where the common database is and what the connection string is. And yes, you would still encrypt that connection string in the server application's configuration file.

Hrmm, I think I have come up with a way to make this as safe as possible...but I am not sure how to actualy do it.

I could just assemble a SQL statement in the desktop app and then send that string to a PHP page on my server and let that page do the database connection and actual insertion of the SQL.

But, I am not sure how to post data to a PHP page from a desktop app.

I guess I will go to google and see what I can find.

Is the desktop application a .NET application?

If so, you can simply use the System.Net.HttpWebRequest and HttpWebResponse classes in the client application. Won't matter if the server technology is PHP or not.

Cool, I will look into that. Thanks a lot!

Nothing is safe...haven't you noticed that all good software gets cracked!? It's inevitable!

The point is, if/when someone decompiles my program there will be no database connection strings for them to steal and use.

I realise there is no way to stop someone from cracking the program.

The point is, if/when someone decompiles my program there will be no database connection strings for them to steal and use.

I realise there is no way to stop someone from cracking the program.


Does this application reside in an NT domain? What I usually do is a web service using NT creditals as my security and I have my form app use the web service as a reference to get all the data from my db. That way there is no connection string on the client side period and all access is controlled by NT creditals.