0

I have created a forms application for my project. I want to host on my website for users to download and test it. Because I am using a configuration manager I have to include the config file along with the .exe as there is a back end remote database for the application. And of course I only now realize my connection string is there for all to see. I tried renaming the app.config to web.config, but the aspnet_regiis -pef command just returns a help menu when ran as admin on my vista machine! Even if this command works and I rename web.config back to app.config, will the machine which runs the app when downloaded automatically decrypt the connection string? So in conclusion what is the best way for a novice like to approach this dilemma? Why does aspnet_regiis -pef not run? I have also looked at other posts about this topic but unfortunately they have not worked for me so far.

Improve this question
2
  • 1
    aspnet_regiis is a tool for configuring asp.net application, not winforms Commented Jan 18, 2013 at 13:53
  • Yes i know. But i saw a trick online whereby one can use aspnet to encrypt a config file by renaming it to web.config, perform operation and rename back to app.config. Commented Jan 18, 2013 at 14:21

2 Answers 2

Reset to default
4

Either create user/specific connection string, or wrap all your data access in some web services, where you can control the autorization.

Creating user specific connection string is the simplest, but may have impact on the DB charge. You can still keep one connection string, but using windows identity to connect. In both case, you will have to spent some effort to ensure users won't able to do more than what they are allowed to do.

Wrapping your data access in web services is far more manageable but will require an extra work to make it works. Maybe you can take a look at RIA Services. The advantages are multiples: you can control the permissions within the web services, and you are reducing the exposure of unwanted queries.

Please also note that even if you encrypt the connection string in the configuration file, any malicious user will be able to decrypt it. A simple decompiler will highlight your decryption key.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Sorry, by former solution, you mean renaming my app to web.config and try using the aspnet_regiis -pef command and renaming web.config back to app.config?
Not all. I've reformulated my answer to remove the ambiguity;
2

You could just store an encrypt the connection string in the app.config but you will have to include the encryption key somewhere in the application. Therefore this is not safe because everyone can just decompile the application or attach a debugger and extract the connection string. Or monitor the network traffic. Actually there is now way you can prevent this from happening - whatever your application can do can be done manually by everyone (with access to the application).

The flaw in the design is that the application needs direct access to the database in the first place. It is close to impossible to ensure that the database can not be corrupted in this scenario (unless the database is only used for reading data). Essentially you would have to replicate a large portion of your business logic at the database server to ensure that no sequence of requests will corrupt the state.

A better solution would be accessing the database only indirectly through a web service. This allows you to perform better and easier to implement server-side validation and even authentication and authorization per user.

Improve this answer

3 Comments

Well i am stuck for time so for the time being i would like to go with encrypting the connection string in app.config.
But maybe i am looking at this from the wrong angle. Currently in my connection string i use my admin login which is the user level i use to create the database, create tables etc. Is there not a way to create a login on the Database server which can only be used by the entity objects i have created for the application? I have constructed my entity objects to only access the database when the user has authenticated(i have a user table)) plus they can only manipulate there own entries in the database?
I have created an encrypt class but how do i access the connection string used and encrypt it, so it can decrypted at some other point.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.