Hi I have a wpf application, developed using C# .net, and framework used is 4.5.
I was able to achieve Create, retrieve and delete operations related to the sql lite using EF6, and also was able to password secure the connection the sqlite db.
My problem is I want to secure the db file, I went through many links and googled for almost 3 days and came across various options, but few of them commercial and open ones are on C, nothing for .net.
So next approach was to keep file hidden for general user, as I dont want them to delete the file, as file is deleted then all the information in it will be lost.
I am willing to understand,the best practices out there to secure sqlite database file (please note the database is secured with Key).
I tried below things
Storing the file on Appdata folder, but it is accessible and easy
to remove the file, also someone can take the database file and try
to bruteforce to know the password, which may not be worthy :)
Storing the file in program data folder, but if the use installed
windows app is not admin, it may throw exception.
I came across IsolatedStorage, which seems to be hidden from general user,
and also we can define the scope for the sotrage, but the problem is I am not
able to implement if for .sqlite, as I do not know the exact path,
and to initialize the sqlite connection, we require exact path.
What could be the best way to secure the file. I do not want user to read, update or delete using other application, but should be accessible only through my application.
(Just comment for this post)
Sqlite database is normally can read and write from other user (Not from you app).For the problem of Open,Delete,Copy the sqlite db,I think you can lock the db file by Locking File(There are many type of locking file structure on google).So if you want to read data from your db,you unlock the db file with your specified key and open the connection.After that,you can lock the db file.
Related
I have a C# application which uses sql database on sqlexpress. My client will use on his/her computer, so I am concerned about database security. So I have following questions:
1- Should I use Windows Authorization on SQLEXPRESS or SQL Authorization? If I use WA, what if someone (who has a reach Windows Applications accidently, the computer will be in a school campus) reaches the data file and manipulate data (using SSMS maybe?)
2- I also tried to write a trigger on tables which stores sensitive data. My concern is not data reading, but manipulating is; such as insert, update and delete. I tried to use temporary tables (defined by c# application that has some hashed data), the trigger had to check if table exists and hashed data was correct. But c# application cannot reach temporary table even created by itself.
I tried EFS on Windows, but anyone can reach Windows grants, can deactivate EFS on database file. TDE is out of question also, because of SQL version.
The question is how can I check (or trigger check) whether database connection was made by .net applicaton? Is there any better efficient way to do it?
Yes, I solved it.
1- I realized that, I can use Windows Authorization but, to prevent data manipulaton beyond the application; giving minimal permissions to Windows user is better way to protect data.
2- Also realized that, I can use tempdb database to create permanent temporary tables. This solves my problem about temporary tables.http://jayeshsorathia.blogspot.com.tr/2012/03/beginning-sql-difference-between-local.html
Thanks for reading.
I wrote a reminder program that runs automatically on startup. I want to know if there is a way, other than SQL-Server, to store event, date and time data. I do not want to use SQL-Server for this work, because I think SQL-Server is very big for this simple task. I think that I can use a file to store data in it. What do you think about this?
Some common ways to store information:
As a file. You have many options where you can store the file. For instance, user directory, and program directory. Further explanation here and here. I prefer using a serializer (xml or json).
As a registry entry. You store your information as key-value pairs.
In a light-weight database:
RavenDB: its document-oriented, and stores data in json format
SQLite: relational; I recommend this SQLite Admin for managing purpose
Registry entries are more safe regarding user actions. On the other hand, files can be easily deleted.
You always have the option, to encrypt your information.
As a side note, you can also use PostSharp to declare variables to be stored in your registry. The code becomes something like this:
[RegistryBacking]
private bool _boolean;
I can provide code later if you need it... when I'm home again.
For the part where to persist
From this document (Managing User Data Deployment Guide, download):
Windows uses the Local and LocalLow folders for application data
that does not roam with the user. Usually this data is either machine
specific or too large to roam.
Windows uses the Roaming folder for application specific data, such
as custom dictionaries, which are machine independent and should roam
with the user profile.
So, I suggest using AppData\Roaming and persisting to a file since I consider a 'reminder app' to be user specific. And domain users for example would consider that valuable (syncing to server).
Local and LocalLow (the latter is used for low integrity mode, for applications with reduced privileges) would be more appropriate for some machine/installation specific data which can be calculated on-the-fly.
Registry seems great for some low amount of keys, but doesn't seem to be the best option for such use.
There is another option - IsolatedStorage, which should be used when mentioned options are not applicable, like when using ClickOnce deployments.
For the part how to persist your data to a file ... well, pick your favorite. You could use SQLite database which comes really lightweigt if you want more control and power or just use XML serialization to a file if you consider using SQLite an overkill. Or any of other viable options.
XML. .NET has classes that makes handling xml files easy. If you're saving structured data then XML might be your best bet.
I have for very similar reasons tried some easy to deploy databases and yet use the knowledge i have.
VistaDB 3.x and 4 are my first choice because they are very much SQL Server compaible and allows me to switch to sql server anytime i like. This supports EF too!!!
Next is db4o by Versant which is very very handy. I use it mostly for quick prototyping but i have deployed to several small solutions and perfect for your kind of application.
I hope that helps!
I have a billing application written in C# that uses an Access database (.mdb file) for storage. I'd like the application to support multiple users sharing access to the database but this fails with an error message similar to
The database has been opened exclusively by another user, or you do not have permission to open it
What do I do to allow multiple users to access the file?
if you really have to do it (and shame on you for using access to that) you have to realize access is FILE BASED.
Basically, you connect to the database file (using a driver), so to allow multiple concurrent users you must have a network in place with a file share on which you put the database. And you need to make sure your database is opened in a way allowing multi user access. I think I remember this being a setting on the database or something, that then forced it to create some lock file.
THAT SAID: move to SQL Server, Access starts really showing negative sides the moment you go network/multi user. It is discouraged by Microsoft for about 10 years now. This is one reason I think I remember - I stopped doing access multi user 15 years ago because it made no sense.
I have written a winform application that connects to a database on our corporate network. I created the database as I was writing the application. Now it’s time to document the schema and to provide a method of recreation in the event that it is lost for what ever reason.
I have been considering that the client application should ask the user if it should recreate it or provide new connection parameters. Note: the current Connection parameters are kept in an obfuscated text file that is included in the application setup.
What are best practices for recreation of the database or the storage of the schema. Should the schema be just kept in a text file in the application directory, or should it be embedded in the application as a string resource.
Also, does anybody know of a open source application that I could use in documenting the database.
Thanks for any assistance or direction you can provide
Probably the schema should be embedded within the application as a resource. I'm thinking this because you said the connection parameters are obfuscated, which suggests that you don't want users to have any real knowledge of the database. Providing the schema as a plain text file would allow them to make very reasonable guesses as to what the connection parameters are. Another easy way to recreate the database is to simply keep an empty copy of it embedded as an application resource. Instead of actually recreating the database, you can simply stream out this copy.
As for documenting the schema (your second question, which in the future please ask as a separate question entirely), I'm not really sure what you mean. Are you just wanting to document the tables and rows within your database?
I have a WPF application that stores a large amount of information in XML files and as the user uses the application they add more information to the XML files. It's basically using the XML files as a database. Since over the life of the program the XML files have gotten quite large, and I've been think about putting the data on a website, I've been looking into how to move all the information into an SQL database.
I've used SQL databases with web applications (PHP, Ruby, and ASP.NET) but never with a Desktop application. Ideally I'd like to be able to keep all the information in one database file and distribute it along with the application without requiring the user to connect to a remote database (so they don't need an internet connection - though eventually it would be nice if could compare the local file's version with one online somewhere and update if necessary) and without making them install a local database server on their computer. Is this possible?
I'd also like to use LINQ with any new database solution so switching to a database doesn't force to many changes (I read the XML with LINQ).
I'm sure this question has been asked and that there are already some good tutorials on the subject but I just can't find them.
SQLite is a good embedded database that you can ship along with your application. I have not done much more than some prototyping with it, so I personally cannot say with 100% certainty that it will meet your needs. But from what I have read, and what little I have written against it, it seems appropriate for the job.
SQLite Homepage
ADO.NET Provider
If you know how your objects are all going to fit together, you could serialize them/deserialize them to store them on disk as a set of ProtoBuf objects (depending on their size, of course). I've found that it's a pretty simple, elegant solution to storing a set of interconnected classes. Each class that should be savable, all your data, can be serialized using this method, and then restored as necessary.
Here's the .NET link to it.
This is a previous question I asked on SO, and got several good responses.