I wrote WinForm application using C#. The application needs to be connected to a database, so it contains code such:
String connstring = String.Format("Server={0};Port={1};" +
"User Id={2};Password={3};Database={4};",
"localhost", "3456", "username",
"password", "databasename" );
That means that the user and the password of the database server is included internally in the application. I think this is not a secure way. Is there any way can give more security?
You could add an encrypted connection string to your app.config.
For more information : Securing Connection Strings
You can store them in a local file and then use system permissions to make it hard to modify the file.
Ignore this problem.
Let the user enter database username/password
Don't connect to a database, but connect to a Http service, so you don't leak the database connection password any way.
Related
If I want to make a C# login form, with a Mysql databse which provides the userdata, in c#, i would say it's unsafe to write the database password, database username and database name in the connection string. Am i right? And is there another way like a webserver which will connect to the database and check if userdata is right?
You should store such things in a configuration file. .NET has the option to use encryption in web.config / app.config.
https://msdn.microsoft.com/en-us/library/ms254494(v=vs.110).aspx#Anchor_2
Either way you will have to provide those credentials. You can pass them in connection string in your code (OR) can have those maintained in web.config or app.config file in which case you can actually encrypt the password and have the encrypted value mentioned in connection string.
I have developed a c# program I want to use to access a remote server from a client computer on the same domain.Every time I try to connect to the database I am getting an error login failed for user domain\myclientusername
Using the connection string below:
<add name="dbname" connectionString="Server=remoteservername;Database=dbname;Integrated Security=True;"/>
I have already checked and the server is set to allow remote connections. I am able to log on to the server using admin credentials do I need to set the connection string to use admin password and user name to connect to the database? or do I need to add my client profile credentials to the database permissions. Very new to deploying applications.
You will need to set up access to the database for the connecting user/client PC. You sort of "map" a user on the domain to a SQL user or group
Go to SQL management studio> connect to your database> expand databases > expand 'security' and then 'logins'
right click logins and select new login. search for the user of the connecting user/client PC. Then under the "user mapping" tab you can give access to the specific database. it may be best to give "db_owner" at first just to ensure you have the connection. after that, you should limit the access to only what is needed.
you can always check the SQL events log from the SQL machine itself and see what the specific authentication issues may be. go to "Events" in the Administrative tools (which is in control panel) and you can see SQL specific events.
Either you can remove the Integrated Security=True in your connection string and insert the username and password of a Login you create in you SQL Server database to your connection string.
Or, you can create a login for the user under which your c# program is running (yourself - for testing, domain service account under production) to the SQL Server and give it appropriate read/write access.
More information on connection strings: http://www.connectionstrings.com
More information on how to create login in SQL Server : http://msdn.microsoft.com/en-us/library/aa337562.aspx
When you set Integrated Security=True , the current Windows account credentials are used for authentication.
Since you are trying from a different PC than the one that is running the SQL instance it is much likely the acount you are trying to connect with differs from the acount registered to the instance log in.
what you can do is:
Use Integrated Security=sspi and provide the login credentials, e.g:
connectionString="Server=remoteservername;Database=dbname;User id= myUser; Password=myPass;Integrated Security=sspi";
you can also set Integrated Security=false and also provide the credentials, (but the connection won't be using Windows Athentication)
I'm currently developing an application based on ASP.NET MVC3, SQL Server 2008 and EF with database first.
My application requires every user to have it's own SQL Server database. These databases all have an identical structure.
My customers are identified with a customercode, e.g. fgt. This code is provided in the url.
I need to know how can I retrieve the customercode from the url and set the connection string accordingly.
Thanks for the help
My idea is to connect to the database once the customercode is retrieved from the URL and then prompt to user to enter his username and password for access data.
But yes, is a good idea to create a database to store the connection string of each customer.
Can anyone write the code that I need for do this please?. I am new to asp. I come from php.
(I'm just learning English. Sorry about the bad grammar)
Try something like this to get started:
string customerCode = Request.QueryString["cust"].ToString();
string myNewConnString = ConfigurationManager
.ConnectionStrings["MyDatabase"]
.ConnectionString
.Replace("[placeholder]", customerCode);
Where your connection string in your .config is something like this. Note that I've assumed you'll place a token to be replaced ([placeholder]).
<add name="MyDatabase"
connectionString="Data Source=192.168.0.1;Initial Catalog=[placeholder];User ID=foo;Password=bar"
providerName="System.Data.SqlClient" />
Suggest that you whitelist your customers and their connection strings.
setup a web service on your side.
your deployed application calls your web service using the customer code.
web service validates the customer code, and returns a valid conn string.
customer's app keeps the conn string in memory (session, cache, whathaveyou).
This would allow you to ensure the conn string is always valid for a given customer code. You'd have fine grain control on access to the database for any reason (non-payment, etc). Your service would have a few hits thanks to any caching that you build in.
maybe sqlshard could help you in using multiple databases?
http://enzosqlshard.codeplex.com/
Sounds like pretty insecure solution. What if customer put another customer code in URL? Where is validated if customer can access that code if you don't have any central database with customer's permissions?
You need authentication and some central store (additional database) where you will validate that user accessing the application has access permissions to provided URL. It will also validate if such database even exists. Next you need just SqlConnectionStringBuilder and use the customer code as a name of database (or part of the name). For security reason each database should have a separate SQL account with permissions to read only from that database. This db account can also be stored with that central storage with encrypted passwords.
There can be additional complexities if you also expect dynamical adding or removing customer codes = databases. That would require high privileged account to manage logins, accounts, databases, etc.
Because you are asking how to get part of Uri it looks like you have almost no experience with ASP.NET MVC and perhaps with everything related. You should definitely ask any more skilled colleague or boss to review your architecture because at this point it looks like you are going to have serious problems and you can develop very insecure application which can significantly harm reputation of your company and your customer.
I am always doing the following Login module:
Create a table with Username and Password
Login by checking the user table.
So how do I use integrated Login just like the application like Sql Server? I don't mean by passing a connection string, I mean it will check the credential of my application without putting any username and password.
Thanks
EDIT:
I don't mean the SQL Server integrated Login, I mean my application's integrated login, is it possible?
For example, my application will read the AD's name and compare to the current username, then I don't need the user to type in a password for my application.
I am not sure how do I do that and where to start, since if I search Integrated Login, 99.9% of the results from Google will give me the connection string, which I am not looking for that.
[This answer assumes that you're on an Active Directory domain]
Are you using active directory windows authentication? If this is the case you can use the integrated security option in the connection string.
Here's an example connection string using integrated security:
"Data Source=MyServer;Initial Catalog=db name;Integrated Security=True"
This would reduce the complexity allowing you to forget about having to ask the user for a username and password because it'll pick up the windows credentials that they've logged into the workstation with.
Edit:
If the application is a website then you'll need to set the SQL server as "trusted for delegation" in active directory (see http://msdn.microsoft.com/en-us/library/aa905162(SQL.80).aspx). This will allow the webserver to delegate the user's windows login credentials to the SQL server. If you don't do this then the SQL connection will be anonymous.
Assuming that your application will be running with Active Directory on the local network I think there are a few options, depending on how do you want to implement authorization.
If you want/need to do authorization with some custom rules/logic then the first thing you need is to determine who ran the application:
Environment.UserName in conjunction with Environment.UserDomainName will give you enough information;
Alternatively (and more secure) you have use the following code snippet:
AppDomain.CurrentDomain.SetPrincipalPolicy(
System.Security.Principal.PrincipalPolicy.WindowsPrincipal);
var identity = Thread.CurrentPrincipal.Identity;
From the identity you can extract Security Identifier which is designed to be globally unique. (But not that pretty as domain\username pair.)
After getting current user's name you can apply whatever authorization rules you want.
I am deploying a Windows Application that uses SQL Server 2005. The program will use SQL Authentication.
My question is, how do you handle the connection string when you don't know what the username/password will be? Do you load this from an encrypted file? Or are there provisions for handling this already?
If the user will provide their login details (username and password) then you just need to provide the ability to enter them in your app, e.g. show a dialog asking for these details. You can then use those values the user gives to build the connection string in your code.
Alternatively, if all your users are going to be using a single SQL account to connect then you can put the connection string in your app.config file using encryption if you want to hide it from your users, see cmsjr's answer for an example of how to do this.
Alternatively, if you're developing this on an internal domain (intranet) then switch your database to integrated security and put your users domain accounts into the relevant access group on your database server. Then you won't have to worry about collecting username or passwords at all.
If the enduser will provide the password you don't need to do anything, dont save the usernamne/password in the config file.
If you don't want the end user to provide the password you could put it in the config file at installation. But that could be a problem if the username needs to be changed and you have encrypted the connectionstring.
Encrypting sections of the configuration is not as simple for a windows app as for a web app, but it is certainly doable. Here's a sample.
Just make sure to check the username/password for "weird" characters that the user might enter. The last thing you want is for them to change around your connection string. Then basically you just specify the driver (if using ODBC), the database, the server, but leave all the username/password and trusted connection info out. Then just tack on username= and password= which will be set equal to what was entered by the user on the end. However watch out for semicolons. I've never tried to see what happens if there is both a username/password and a trusted_connection = true.