如何隐藏XML配置文件
[英]How to hide XML Configuration File
问题描述
I have just finished making my application and finished building it. 
我刚刚完成了我的应用程序并完成了它的构建。 And everything is working fine. 一切都很好。
And then I notice an XML Configuration file in the folder, So I click it. 然后我注意到文件夹中的XML配置文件,所以我点击它。
And there it is, my whole connectionstrings along with my remote sql server ip address, login username and login password which is visible for all to see. 它就是,我的整个连接字符串以及我的远程sql server ip地址,登录用户名和登录密码,所有人都可以看到。
I tried deleting the XML Configuration file and ran the program, it just makes a App_Data folder inside the folder with a default database. 我尝试删除XML配置文件并运行程序,它只是使用默认数据库在文件夹中创建一个App_Data文件夹。
Is there any way to hide the XML Configuration file or make it unreadable, as it contains all my connection info. 有没有办法隐藏XML配置文件或使其不可读,因为它包含我的所有连接信息。
Thanks. 谢谢。
4 个解决方案
解决方案1
3 已采纳 2012-05-17 21:55:58
Check out this MS article regarding securing your connection strings: 查看有关保护连接字符串的MS文章:
https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/protecting-connection-information https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/protecting-connection-information
Alternatively, hard-code the connection string into your application (note: malicious users can reverse engineer .net apps fairly easily), or use Integrated Security if possible. 或者,将连接字符串硬编码到应用程序中(注意:恶意用户可以相当容易地对.net应用程序进行反向工程),或者尽可能使用集成安全性。
解决方案2
1 2012-05-17 21:54:33
You can either encrypt it: http://chiragrdarji.wordpress.com/2008/08/11/how-to-encrypt-connection-string-in-webconfig/ 你可以加密它: http : //chiragrdarji.wordpress.com/2008/08/11/how-to-encrypt-connection-string-in-webconfig/
or use Integrated Security if you can. 或者如果可以,请使用集成安全性。
解决方案3
1 2012-05-17 21:56:15
Any attempts to hide the connection string will just make it slightly more difficult to access for both you and any attackers. 任何隐藏连接字符串的尝试都会使您和任何攻击者都更难以访问。 It is not unusual but not very secure and there is also the problem with ensuring regular password rotation. 这并不罕见,但不是很安全,并且确保定期密码轮换也存在问题。
If you can, switch to integrated security. 如果可以,请切换到集成安全性。 (Include Integrated Security=SSPI in the connection string, but no user name or password.) The connection will be created using your own user account (or the account running your code), assuming that (在连接字符串中包含Integrated Security=SSPI ,但没有用户名或密码。)将使用您自己的用户帐户(或运行代码的帐户)创建连接,假设
- You are using MS SQL Server 您正在使用MS SQL Server
- The SQL Server is on the same system, or in the same AD domain and will be thus able to recognize the account. SQL Server位于同一系统上,或位于同一个AD域中,因此可以识别该帐户。
解决方案4
1 2012-05-17 22:22:23
A dedicated debugger will be able to see your connection string pretty much no matter what you do. 无论你做什么,专用调试器都能看到你的连接字符串。
Remember if you can look at Connection.ConnectionString in a debug session so can a user with WinDBG or Visual Studio. 请记住,如果您可以在调试会话中查看Connection.ConnectionString ,那么具有WinDBG或Visual Studio的用户也可以。 So even if you encrypt the file the user can just let you decrypt and then inspect the clear text value. 因此,即使您加密文件,用户也可以让您解密,然后检查明文值。
This is why many client applications (especially mobile ones) that need information from a server typically don't directly connect to a database. 这就是为什么许多需要服务器信息的客户端应用程序(尤其是移动应用程序)通常不直接连接到数据库。 Instead they typically connect to a service instead. 相反,他们通常会连接到服务。 Then you authorize and authenticate the user against your service. 然后,您根据您的服务对用户进行授权和身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.