Reputation: 182
Most Secured way to connect MYSQL to Windows Form C#
There are already a lot of SO post regarding this topic, but I want to ask again because some of the questions are already 2-3 years ago.
Lists of suggested process
Most of the answers suggest to access App.config file then make a connection string. Though it can be encrypted it is not fully safe.
Make a web service for the connection, then all the sql processes are in the service
Create a 3-tier application?
To be honest I only understand the first one by a little and I'm new to the other two. So my question is what will be the most secured and easy to implement?
Just a background of my project that I'm planning to build:Different people will have the desktop application where they can login and be redirected to the website. Meaning there are already existing database for the Website but I need to create a Desktop application so they can login. You will ask why do I need to create a desktop application if there is already a website? then it is another side of the story:) Hopefully someone can give me insights.
Upvotes: 0
Views: 313
Answers (1)
Reputation: 1644
If you really need it to be secure, the connection string shouldn't be accessible to the end user, even in encrypted form. It isn't that difficult to debug into or even reverse compile .NET code. Obfuscation can help with that, but it is good practice to treat any code that is compiled into something that the end user can access as being readable by them, which means that if your code can decrypt it, a sufficiently savvy end user with the right tools can too. Effectively, that means that you need some kind of intermediary such as a web service for it to be properly secure. The web service can be kept entirely within your control as can the connection string. This is the same principle that you'd use if you were providing the web service to external parties as an API (and it isn't a bad idea to write it as though you were).
The down side of writing a web service is that it is pretty tedious and can be a pain to maintain things like change tracking (I think EF may have some solutions to that, but I haven't looked at them). This is one reason why a lot of people are writing web based applications these days rather than Windows Forms (and I suggest you have a good think about whether Windows Forms is really needed or if you can do most of it web based and only a small part in Windows Forms).
If you want a compromise and you don't want to provide the connection string to the end user in a config file, you could use a web service to authenticate that the user (or at least your app) is genuine and then provide an encrypted connection string which is never stored to disk. That doesn't stop the app being decompiled to work out how to get it, but it makes it more difficult. You have to use your judgement as to how much of an issue security is in your particular situation.
Upvotes: 1
Related Questions
- How do I remedy "The breakpoint will not currently be hit. No symbols have been loaded for this document." warning?
- Host 'xxx.xx.xxx.xxx' is not allowed to connect to this MySQL server
- Can't connect to local MySQL server through socket '/var/mysql/mysql.sock' (38)
- How to register multiple implementations of the same interface in Asp.Net Core?
- Is there a reason for C#'s reuse of the variable in a foreach?
- How do I connect to a MySQL Database in Python?
- Why not inherit from List<T>?
- SQL query return data from multiple tables