Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
Currently, we are developing a website open for public. we are paying great attention on security.
we have a lot of sensitive information on web.config, such as db connection string in , should we encrypt these db connection string information ? alternatively, should we encrypt the whole web.config file ?
Could anyone give me some idea that how hacker get the web.config information ?
The web.config is specifically excluded to be served by ASP.NET. You can't access that file unless you really screw up (that is: you can still read the file from disk of course and serve it yourself).
You do not need special protection for the outside world. The inside world can be as dangerous as the outside: if a lot of users have access to the web.config file from within your organisation, you might expose the username and password set in the connection string. It is better to use integrated security for that: you don't need usernames and passwords any more then. It doesn't get saver than that.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I need my program to be able to connect to some kind of a database (e.g. SQL) and obviously the program needs the password to get access to the database. And setting a hardcoded variable with a password would be more than enough but I want to think like it's a real life situation. So I want it to be stored securely, and hardcoding a password to the code from what I know is not a very good idea. How do I do it then? I searched multiple forums, topics and maybe there was an answer but im not gonna lie it is complicated. Any help?
It's a broad question but the simple answer is that you would not store it but instead make the user provide a password.
Typically you would have an API server between an app and a database rather than allow direct access to the DB. The API would have a route that accepts a username and password and returns a jwt or some other kind of authorization token. Subsequent calls to the API would also send the token, which is used to verify the requests. You can store the authorization token locally but its something you should try to protect from other applications as much as possible.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I made a C# program with a login interface and used a SQL Server database. Can someone recover my database information by decompiling the EXE program generated?
Note: I interpret your question as someone who had the username and password for a database and has since lost it and is looking for a way to get it back. If your question was asked in the sense of "is it possible for a person to hack my program and read my connection string" then using the word "anyone" instead of "someone" would have made this more clear
Onto the answer:
Yes, "Someone" can, as long as that someone is you - we aren't here to do that for you
In an ideal world, no reverse engineering would be needed - just open the config file and read the connection string out of it. did you save your connection string in the config file?
If you hard coded it, use something like ILSpy to decompile your .net exe. Use of ilspy or similar decompilers is not difficult; most of them can work by you dropping the exe into the main window of the decompiler and then reading the code
Once you have the connection string you'll probably have the username and password if you didn't go to any extended means to hide them
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I tried many tricks from StackOverflow to Save & Update appSettings.json file but nothing working. Some snippets working only in Startup.cs only for read appSettings.json not for updating. Please help!
First of all, it's a bad idea to persist user settings into appsettings.json. The OS process executing your MVC app should never have write permission to this file for security reasons.
I would probably use a DB engine with ACID capabilities for this purpose. However, it could be ok to store such user settings in the file system - but in a separate file, at a safe location.
For example I'd create a folder named say App_Data in the application root folder, set write permission to it and place an adminsettings.json file into it. Then I'd use this file as my persistent storage for the said user settings.
Obviously, it would require some coding to make all this work. I put together a code sample for you which aims to reuse the configuration and options API of .NET Core. I think it exceeds the size acceptable here, so I made it available as a Gist.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I'm making a game with a login system which connect to a database, but my source code is not crypted and I worried about if someone decompile my program, he can get the SQL logins and wanted to know how prevent from that?
Since .NET Framework 2.0, there is a possibility of encrypting application configuration sections. However, it needs a bit of implementation.
Please refer to the following article.
https://msdn.microsoft.com/en-us/library/53tyfkaw(v=vs.110).aspx
Just another option... You can consider using "Integrated Security=SSPI" in your connection string. This will try to open connection to database with the user running your application main thread. However, this will require additional management on the SQL server side for permissions of the user but you won't be providing any usernames or passwords in your connection string.
And a note... Although i partially agree with Roblll with the comment on research, sometimes people need advice for the concept. If concept is not there and you are lost, you cannot share a line of code right? I think stackoverflow is a great platform to ask and learn from replies. So keep on asking... Do your homework and don't be shy! :)
Cheers
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I created an application in C# + WPF + MySQL. What is the best (safest) way to store database connection strings?
Store it on your App.config file and always encrypt it. This link will show you how to encrypt parts of your configuration file.
You could store connections strings in the configuration file. You may secure them if necessary.
Alternatively - the registry. The one place you do NOT store them is the app.config file (whatever.exe.config) as it is only in existence ONCE and the programs folder is not something users can change. Per user settings should never be there.
If the application is running on a server, I'd recommend the machine.config file and encrypt it in the same manor Fernando recommended. If the application is going to be distributed then app.config is where I would store them.
Well I always follows one practice. When ever I do some thing in SL or WPF, I always put Service layer between SL/WPF and database.
You could use the visual studio settings / properties that are available when using visual studio. They are pretty simple to use, and if you use a user setting it is saved in the app data directory for the user, so it is semi-hidden away from tinkering. Then all you'd have to do is some form of encryption to lock it down completely if you so wanted.
I think the best thing about visual studio settings is the ease of use.