Reputation: 81
Connect to AWS MySQL database in C# securely
I've built an application that utilizes a database hosted with Amazon. I'm trying to find a way to connect to this securely and overall, I've been assured that I have no idea what I'm doing.
My original intent was to store my database credentials in my application with encryption, but I've been led to believe that using a web service would be a better option as nothing stored local can be really secured. However, I have no idea how to use a web service for this and or why it would make a difference.
In using a web service, would I be building a Windows Server and deploying this "web service" to it to connect to, which would then connect to my database? That almost seems superfluous, though I still consider myself to be an amateur. Even then, how would I authenticate to it securely?
The end-game for me is to be able to store DB (and PayPal seller credentials) somewhere that a user cannot access in any case, but my program can. It seems much more cut and dry than people here and elsewhere have made it seem, but again, I'm a newb.
Any direction would be greatly appreciated! I'd like to deploy this, soon outside of our organization for testing and such.
Thanks, guys!
Upvotes: 0
Views: 905
Answers (2)
Reputation: 3566
If your database is mysql, then you can use: Connector/Net from mysql. Credentials for the db are usually kept in web.config of your application. Also I see no reason of using web service in your case. Web services are used when you need to transfer data from one system to another, not to provide better security for database connection.
EDIT: As Michael kindly explained this approach is for the web application which is hosted on the server. As for the client application, keeping the database credentials in the app (encrypted or not) is very bad idea. In this case additional web application should be developed, which will provide the way to authenticate users using web service (over https), and transfer the data to users from database.
Upvotes: 0
Reputation: 179194
To me, it's unthinkable to give your "application" -- which I assume means an "app" deployed on people's devices or maybe some kind of a desktop application -- direct connectivity to your database, unless the thought of putting the key to your car in a paper envelope and sticking it to the window seems secure.
The application should have an extremely small number of very specific things it can do to the database, and should be leaving a trail of exactly what it does and from where and on whose behalf. The app can make requests to a service, such as a REST API, running on your application server -- the "web service" -- over https, and your application server would then mediate the requests and fetch values from, or send updates to, the database, as appropriate... only after the app has convinced the application server that it indeed represents the particular user that it claims to represent.
It's a fundamental principle that anything you don't control, you can't trust.
"Why it would make a difference" is the difference between "Ha! I hacked one user's password" and "Ha! I stole your database." The application server can authenticate any request as being legitimate for the particular end-user credentials presented... while the database is, in large measure, ill-prepared to do anything of the sort.
The end-user (not the application) would authenticate to the application server, the application server would validate those credentials against the database, providing no hints as to why authentication failed... user not found, password incorrect, we don't know, we don't care -- sorry, login failed. Give us your e-mail address and we'll send you a support email, or if that's not an e-mail we have on file, we'll pretend that we did. Hints help hackers.
store ... PayPal seller credentials
Well, you'll want to be sure that's not among the things that are prohibited from "collect, capture, use, or store" in section 10.1.2 of the Paypal Developer Agreement.
So, how do you do this? That part of the answer takes us a little bit out of scope, because there are many options, the landscape shifts, and it's largely a matter of opinion as to the "best" way but I'd assume ASP or PHP would be the most straightforward.
Think of it as building a database-enabled web site without the hassles of making it pretty, because nobody's going to see it except that back-end of your app... and there's your "web service".
I've been assured that I have no idea what I'm doing
That puts you way ahead of the terrifying number of people who don't realize that they don't know what they are doing.
Upvotes: 1
Related Questions
- Access denied when connecting to an AWS MySql database from an ASP.NET application
- How to connect to a MySQL Database without SSL
- Safely connect to mySQL database in c#
- C# Winforms connection to MySQL AWS Database
- How can I connect to an RDS MySQL DB from C# using a Certificate Authority?
- C# secure connection info for MYSQL
- MySQL, Remote connection and security
- How can I secure my connection to MySql server
- Desktop connection to MySQL in Amazon EC2 using C# (How To)
- Error connecting to Amazon EC2 MySQL from C#