I want to know your opinions about the validity of my doubt.If i need to put database username and password of website in visual basic program.Then would it create security concerns or not?
Printable View
I want to know your opinions about the validity of my doubt.If i need to put database username and password of website in visual basic program.Then would it create security concerns or not?
If you do it in plain text then yes.
- ØØ -
Are you talking about hardcoding them into the connection string?Quote:
Originally Posted by slice
Any hardcoded string values stored in a visual basic app can be read by another program like process explorer and there are probably apps that can read anything stored in memory but I don't know for certain.
Quote:
Originally Posted by DeadEyes
You just have to deasemply it to read that string. Hardcoded strings are easy to find. An other dead sind is to check equality between two string.
IE: User inputs "blahblah"
your app test:
userinput == pasword.
that will be an easy target too. Better way would be to encrypt password. Then decrypt on the fly userinput, and check that against the encryptet pasword without decrypt it. A bit loke MD5.
- ØØ -
Then would is its best and safe way to do?
Because i have to write username and password for giving it access to reach database so it would be somewhere in vb code. :rolleyes:
Hi
First, if this is SQL Server, then use Windows authentication. This means:
no hiding of passwords
no passing of passwords across network
windows auditing of events in sql server
Always try to avoid SQL auth. I won't sign off a security design that includes SQL authentication.
However, if you're trying to access other databases, then you may not have this option.
If you wish to store secrets, then use the Data Pro0tection API (DPAPI). Here is an explanation of how to use it. It's fairly complex:
http://msdn.microsoft.com/security/d...SecNetHT00.asp
Look at the How To sections under the heading 'cryptography'
Hope this helps
Chris Seary
:( it is php and mysql.
Almost any program made in Visual Basic is easy to crack.
That's not even remotely correct.
Maybe the ones you build :lol: :lol: :lol:
Penagate's right. VB6 has had a long standing reputation for being difficult to decompile. Not that it's impossible, but it's not like opening the exe in notepad and finding the connection string.
Every Visual Basic program I've seen has been easy to crack. You can disassemble and debug them extremely easily. And even with a lot of 'professional' programs, yes, it is just like opening it in notepad and finding the string, if you have the right tools.Quote:
Originally Posted by sevenhalo
Hey
As I said before, if you need to keep something secret, then use the DPAPI.
You're not relying on hiding the secret within the code or a resource file.
You're relying on the encryption algorithm. The encryption key is related to your password. It uses 3DES to do the encryption.
It's safe, because it's computationally infeasible to be break the algorithm.
Don't ever try to rely on obfuscation or any other way of hiding secrets.
Security through obscurity is no security at all.
Hope this helps
Chris Seary
Some more detail would be really helpful for me. :afrog:Quote:
Originally Posted by oldbear
Hi
Here's the link:
http://msdn.microsoft.com/security/.../SecNetHT00.asp
Look at the 'How To' sections under the heading 'cryptography'.
This tells you everything - even gives code samples. The document 'Building Secure ASP.Net Applications' (download the pdf from the MSDN Security site) contains all of these articles, with lots of explanation and diagrams.
Also, the Microsoft Enterprise Libraries (only for .Net) allow you to use the DPAPI quite easily. Here's a link to using it:
http://www.pnplive.com/Slides/22MAR2...%20Webcast.ppt
You could write what you need in .Net, and then expose it to COM via a CCW.
Here is another article exploring the underlying method calls of the DPAPI.
Hope this helps
Chris Seary