stackoom
  简体   繁体   中英

How to hide XML Configuration File

 原文  2012-05-17 21:51:27       c#/ wpf/ xml

Question

I have just finished making my application and finished building it. And everything is working fine.

And then I notice an XML Configuration file in the folder, So I click it.

And there it is, my whole connectionstrings along with my remote sql server ip address, login username and login password which is visible for all to see.

I tried deleting the XML Configuration file and ran the program, it just makes a App_Data folder inside the folder with a default database.

Is there any way to hide the XML Configuration file or make it unreadable, as it contains all my connection info.

Thanks.

4 answers

solution1
 3 ACCPTED  2012-05-17 21:55:58

Check out this MS article regarding securing your connection strings:

https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/protecting-connection-information

Alternatively, hard-code the connection string into your application (note: malicious users can reverse engineer .net apps fairly easily), or use Integrated Security if possible.

solution2
 1  2012-05-17 21:54:33

You can either encrypt it: http://chiragrdarji.wordpress.com/2008/08/11/how-to-encrypt-connection-string-in-webconfig/

or use Integrated Security if you can.

solution3
 1  2012-05-17 21:56:15

Any attempts to hide the connection string will just make it slightly more difficult to access for both you and any attackers. It is not unusual but not very secure and there is also the problem with ensuring regular password rotation.

If you can, switch to integrated security. (Include Integrated Security=SSPI in the connection string, but no user name or password.) The connection will be created using your own user account (or the account running your code), assuming that

  • You are using MS SQL Server
  • The SQL Server is on the same system, or in the same AD domain and will be thus able to recognize the account.

solution4
 1  2012-05-17 22:22:23

A dedicated debugger will be able to see your connection string pretty much no matter what you do.

Remember if you can look at Connection.ConnectionString in a debug session so can a user with WinDBG or Visual Studio. So even if you encrypt the file the user can just let you decrypt and then inspect the clear text value.

This is why many client applications (especially mobile ones) that need information from a server typically don't directly connect to a database. Instead they typically connect to a service instead. Then you authorize and authenticate the user against your service.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using xml for a configuration file How to keep values in sync between an XML configuration file and a database table? How to: Generate XML file in Visual Studio 'debug' configuration? How to make a XML or JSon configuration file and deserialize it in JavaScript? How To Deserialize xml File programically without System.Configuration How to check if two XML elements in a WCF configuration file are functionally equivalent? Encrypting XML custom configuration file XML file configuration for c# How to Hide the coloumns of a wpf datagrid as loading from xml file? How can I copy an xml file into a folder and hide it?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM