Securing SQL connection strings

[Tyson Marchuk]

Hello,

Background info
Kind of new to using databases and I'm writing an app in C# which connects
to a MySQL database. I was using the ODBC connector and a DSN entry to
connect to the database but I've since found out that the ODBC connector has
been bugged for some time and you can't send it numeric values (read
floating point values) which basically makes it useless so I'm trying to
switch to the MySQL .NET connector which I believe can handle this case.

Question
Basically I just want to connect to a known database with a known
username/password. I don't want to prompt the user for a name/password
because they don't know this information (and in my opinion they shouldn't).
My concern is that if I put this information in a connection string in code
then it's available in the compiled version of the application so anyone can
lookup the username/password with a hex editor or some-such. I guess I just
want to know what the 'proper' way is to handle connection string data so
that it's relatively safe. I'm not super-paranoid about security because it
won't be run on a generally accesible computer but it just seems stupid to
me to put a password in plaintext in a source file...

Thanks for any help anyone can provide,
-Tyson Marchuk

 

[Italo Silveira]

Tyson,

Microsoft has an example called IssueVision that shows how to do this.
Basically what it does is encrypt the connections string in the config file
and decrypt before establishing a connection to the server. You can find it
at:

http://www.windowsforms.net/Applications/application.aspx?PageID=40&tabindex=9

Good Luck,
Italo

 

[Tyson Marchuk]

Thanks.

I'll have to go through that and see how they managed the
encryption/decryption. Any hints on where I should be looking? Lots of
source there.

Thanks again,
-Tyson

 

[Tyson Marchuk]

Nevermind I think I found the right sections.

Looks like what I was looking for.

Thanks again,
-Tyson