在程序文件中包含SQL用户(具有有限权限)的安全隐患
[英]Security Implications of Including SQL User (with limited permissions) Within the Program File
问题描述
So my C# Windows Forms Application has two parts. 
因此,我的C#Windows Forms应用程序包含两个部分。 The Database Records Manager (DRM) and the Public Access Client (PAC) . Database Records Manager (DRM)和Public Access Client (PAC) 。
I use both clients to access a Microsoft Azure SQL Database, with the provided connection string. 我使用这两个客户端使用提供的连接字符串访问Microsoft Azure SQL数据库。
Server=tcp:{thedatabasename}.database.windows.net,{theport};Initial Catalog={adatabase};Persist Security Info={bool};User ID={username};Password={password};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate={bool};Connection Timeout={int};
What are the security implications of using this connection string within the program code? 在程序代码中使用此连接字符串有哪些安全隐患? (As in within formname.cs ) (如在formname.cs )
The user/login that is used to access the account has the db_datareader and db_datawriter roles. 用于访问帐户的用户/登录名具有db_datareader和db_datawriter角色。
The database that the program connects to hosts no sensitive data, other than perhaps the user details in the master table. 程序连接到的数据库不包含任何敏感数据,除了主表中的用户详细信息。
2 个解决方案
解决方案1
2 已采纳 2017-06-11 09:18:17
Your database content is wide open to anybody. 您的数据库内容向任何人开放。 The username and password are trivial to discover and then they'll be wide known. 用户名和密码很容易发现,因此广为人知。 Not only you app users, but really anybody can and will access your data. 不仅您是应用程序用户,而且实际上任何人都可以并且将访问您的数据。 Script kiddies will delete all rows in every table (which you do give permission) just because they can. 脚本小子会删除每个表中的所有行(您确实允许),因为它们可以这样做。 Hackers will read every table, including your users names and email addresses, your financial transactions, really, anything available in the DB. 黑客将读取每个表,包括您的用户名和电子邮件地址,您的财务交易以及数据库中所有可用的内容。
Furthermore you will find yourself unable to change this leaked user credentials because it is hard coded in the app and you must convince users to install a new version if you want to change it. 此外,您会发现自己无法更改此泄露的用户凭据,因为它在应用程序中进行了硬编码,并且如果要更改它,则必须说服用户安装新版本。
解决方案2
0 2017-06-11 09:08:57
If I understand correctly, your Public Access Client (PAC) is a C# Windows Forms Application and users can use it on their own machines. 如果我理解正确,则您的Public Access Client (PAC)是C#Windows Forms应用程序,用户可以在自己的计算机上使用它。 In this case, your database is absolutely insecure, because connection string is just a configuration option and it doesn't give any security. 在这种情况下,您的数据库绝对是不安全的,因为连接字符串只是一个配置选项,并且不提供任何安全性。 Attacker can decompile your application, get connection string and then use it to access a Microsoft Azure SQL Database, so he can extract or corrupt all your data. 攻击者可以对应用程序进行反编译,获取连接字符串,然后使用它来访问Microsoft Azure SQL数据库,以便攻击者可以提取或破坏您的所有数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.