Geek Answers Handbook

Proper SQL credential storage

Firstly, this is an educational question - not what I implement in a production application, as I am learning the basics of C #.

Currently, I have a solution containing 2 projects (actually 3, but one is unit testing);

  • The form
  • Class library

Inside the class library, I have a class called Database.cs and it is communicating with the MySQL database. I do not directly communicate with this Database.cs class, but other classes inside the class library (e.g. Products.cs ). Although I need credentials to connect to this MySQL database, and I'm not sure where to go to make it safe.

Storing it in a class library / hardcoding credentials inside a class.

This does not make sense to me, since the user can easily capture the DLL, and he technically got the credentials in the database.

Pass the credentials through the form to the class (for example, Products.cs ) and this class passes it when initializing the database object

It can work, try and work, but I'm not sure if this is the β€œbest” way to do it.

Write a static class containing credential properties

Again, if I create this static class inside the Class Library, then I almost do not belong to my first example. If I created this static class inside Form , I need to add a link to the Form project from my class library (not the way I want it).

I tried looking for things, but I apparently am not doing it right. Is there any other way to do this?

+7
source share
2 answers

First of all, never consider hard code credentials in your code, as credentials tend to change over time, so you will need to recompile and redeploy your application each time the SQL credentials change.

Usually, all the information needed to connect to the database is stored in the application configuration file as a string.

If your application is a web application, then you should go, because web.config (the web application configuration file) is stored on the web server and is never served by web requests. But if your application is a Windows Forms application, then security considerations mean that any user who uses your application can look into the application configuration file and get credentials. If it were Microsoft SQL, I would recommend using Windows Authentication. But with MySQL, I think you are doomed to store the username and password in the connection string. Then I would suggest providing your encrypting it connection string.

In addition, if your users can / must authenticate with the MySQL server (enter the MySQL username and password), you can use the connection string template and replace some of its parts with the username and password:
app.config

 <connectionStrings> <add name="MyApplication" connectionString="Location=myServerAddress;Data Source=myDataBase;User ID={0};Password={1}; Port=3306;Extended Properties=""""; /> </connectionStrings>

C # code

 var username = textboxUsername.Text; var password = textboxPassword.Text; var connectionString = string.Format(ConfigurationManager.ConnectionStrings["MyApplication"].ConnectionString, username, password) // at this point you have a connection string whitch could be passed to your Products class
+4
source

Do not print your credentials, as this may cause problems. Firstly, if you need to change the credentials for entering the database at a later stage, you will have to recompile your class library, and secondly, as you indicate that security will be compromised.

It’s a good technique to leave connection information in the main application, rather than storing them in your data layer. Refresh your data layer to accept the connection string at run time, this value must be passed by the main application to the data access level.

Thus, you get 2 advantages:

  • When you deploy the application, the deployed location may have different connection credentials than your development environment.
  • You can encrypt connection strings in the configuration file to increase security
+1
source

More articles:


All Articles