Security Implications of Including SQL User (with limited permissions) Within the Program File

Question

So my C# Windows Forms Application has two parts. The Database Records Manager (DRM) and the Public Access Client (PAC) .

I use both clients to access a Microsoft Azure SQL Database, with the provided connection string.

Server=tcp:{thedatabasename}.database.windows.net,{theport};Initial Catalog={adatabase};Persist Security Info={bool};User ID={username};Password={password};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate={bool};Connection Timeout={int};

What are the security implications of using this connection string within the program code? (As in within formname.cs )

The user/login that is used to access the account has the db_datareader and db_datawriter roles.

The database that the program connects to hosts no sensitive data, other than perhaps the user details in the master table.

Answer 1

Your database content is wide open to anybody. The username and password are trivial to discover and then they'll be wide known. Not only you app users, but really anybody can and will access your data. Script kiddies will delete all rows in every table (which you do give permission) just because they can. Hackers will read every table, including your users names and email addresses, your financial transactions, really, anything available in the DB.

Furthermore you will find yourself unable to change this leaked user credentials because it is hard coded in the app and you must convince users to install a new version if you want to change it.

Answer 2

If I understand correctly, your Public Access Client (PAC) is a C# Windows Forms Application and users can use it on their own machines. In this case, your database is absolutely insecure, because connection string is just a configuration option and it doesn't give any security. Attacker can decompile your application, get connection string and then use it to access a Microsoft Azure SQL Database, so he can extract or corrupt all your data.