How Can I Secure my ConnectionString in WinForm Application?
You can't. Although you can encrypt the connection string in the app.config file, the application needs to be able to decrypt it and it is therefore always possible to retrieve the unencrypted connection string, especially with a managed application (perhaps not for your typical end user, but any skilled developer can do this).
The solution to this is to not lean on security by obscurity. Use Windows Integrated Security when connecting to the database using the Windows user account and give the user the minimum amount of rights in the database.
Often though that is still not enough, because it is very hard to secure the database enough when end users are directly connected to the database (often because you need row level security). For this to work you need to deny access to tables and views and completely fall back to stored procedures.
A better approach however, is to prevent the desktop application from communicating directly with the database; use a web service as intermediate layer. In that case you have full control over the security and you can store the connection string securely on the (web) server.
This is asked a lot in here ...
Encrypting sections and-or settings in an App.config file that will be redistributed
There never seems to be a finite answer on it ... it seems it's one of those "each to their own" type scenarios ... use what best suits your situation.
来源:https://stackoverflow.com/questions/7106565/secure-connectionstring-in-winform-applications