问题
I created an c# application (not asp webpage) which connects to a sql 2005 server. In my sourcecode the password and userid for this sql-server is coded plain text in ConnectionString.
SqlConnection con = new SqlConnection();
con.ConnectionString =
"Data Source=server1;"+
"Initial Catalog=mydatabase;"+
"Integrated Security=no;"+
"User ID=admin;Password=mypassword;";
con.Open();
Is there a easy way to encrypt password or whole connectionstring, that other peoples who disassemble my tool are not able to see the password?
thanks
回答1:
You should store your connection string in a config file and encrypt that section. See http://www.4guysfromrolla.com/articles/021506-1.aspx or http://msdn.microsoft.com/en-us/library/89211k9b%28VS.80%29.aspx.
回答2:
There are two ways of doing it:
1) You can use Configuration Secure Section to encrypt and decrypt connection strimng from your source code:
try
{
// Open the configuration file and retrieve
// the connectionStrings section.
Configuration config = ConfigurationManager.
OpenExeConfiguration(exeConfigName);
ConnectionStringsSection section =
config.GetSection("connectionStrings")
as ConnectionStringsSection;
if (section.SectionInformation.IsProtected)
{
// Remove encryption.
section.SectionInformation.UnprotectSection();
}
else
{
// Encrypt the section.
section.SectionInformation.ProtectSection(
"DataProtectionConfigurationProvider");
}
// Save the current configuration.
config.Save();
Console.WriteLine("Protected={0}",
section.SectionInformation.IsProtected);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
2) You can Enterprise Library Data Access Application Block to perform the encryption using RSAProtectedConfigurationProvider or DPAPIProtectedConfigurationProvider.
For a full articvle go to --> http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx
回答3:
No, you can only make it difficult
It is better to let the application use a special database login which only got access to the tables/procedures necessary.
回答4:
You can encrypt sections in the app.config in the same way as web.config. MS calls it Protected Configuration. Since both the enrypted data and the key resides on the same machine it only makes it harder but in theory not impossible to get to the data.
回答5:
you can also store the UserName and Password in the Registry instead of storing in the config file. Read the Username and Password from registry when trying to connect to the database. Remember you have to Encrypt the Username and password while storing in the Registry and Decrypt the Username and Password while retrieving from the Registry.
来源:https://stackoverflow.com/questions/2160515/encrypt-sql-connectionstring-c-sharp