Geek Answers Handbook

C # mysql connection practice

If a C # application connects to the mysql server from the client, how can I save the mysql username / password for the connection? If I have it in the configuration file or embedded in the source, it can be found by reverse engineering. Unable to provide all users with MySql password.

In addition, I have an input for the application. How can I ensure that the user goes through the login process and doesn’t just redesign and comment on the C # code checking the log?

Are these connections between MySql and the client application supported, or should there be a third server-side program communicating with the local locale to be safe?

+7
security c # mysql
source share
3 answers

Perhaps you can have a two-stage system: to have an SQL account, the only permission of which is to execute the stored procedure using the user name and password of the user and provide them with credentials for use in a real account. When a user logs in, you connect using a limited account, get the credentials for a real account, and do your work using that account. You can also frequently change your SQL password. If you suspect a user of neglected play, ask the procedure to return another set of credentials to them and track these credentials.

+3
source share

For Winform clients that are directly related to db, this is an age (10 years or so) that will never be allowed.

The problem is that no matter how you encrypt or obfuscate the connection string, there will always be a point in time when the string will be presented as plain text in the memory of the client computer and, therefore, cracked.

Other SOers recommended you, I just thought I wanted to indicate what you are trying to work on.

+2
source share

Here is the problem. You trust the end user binaries that will trigger MySQL queries. This means, without a doubt, that a smart user can β€œtake control” and run queries directly.

There are things you can do to improve the situation. It looks like you are on a local network. Why can't you give each user their own database user? This means that authentication (a) took care of you, and (b) you can use the "real" MySQL permissions to limit what harm they can do. In addition, you can use stored procedures and give them only access to procs, which really limits their actions.

You can also consider rewriting as a web application, where you process everything on the server out of reach.

However, is this really a problem, or are you just theoretical?

+1
source share

More articles:


All Articles