如何在用户的应用程序配置中隐藏连接字符串
How to hide connection string in app config from user
我所有的网格和组合框都绑定到 dataset/adapter,连接字符串在应用程序配置中设置,但连接字符串在安装到我的客户端时包含在主要输出中。我试图排除它,因为连接字符串包含我的数据库密码,但我的应用程序返回了一个异常。
<connectionStrings>
<add name="HNBS_SALON_SPA.My.MySettings.dbhnbspapuaConnectionString"
connectionString="Provider=Microsoft.ACE.OLEDB.12.0;Data Source="mydb.accdb";Persist Security Info=True;Jet OLEDB:Database Password=abcdefg"
providerName="System.Data.OleDb" />
</connectionStrings>
You can hide the connection string by encrypting it in web.config.
See it with example here.
If you mean making web.config file invisible for system users, it would make in invisible for your application. If you make it visible for your application, it means any user having sufficient privileges will be able to read. You can only work-around it not having connection string at all in this file.
For example, you could specially design ciphered storage (say, based on XML file), decode it on the fly and code assignment of you connection string programmatically in your application.
Encryption will be the best approach to hide the information. Why the connection string kind of information stored in webconfig in, there is no need to compile the code again if its changed and its ease to access globally. If Encryption/Decryption method is followed be extra care while you changing the userid and password in the string.
For example you can refer this article.
(Source)
更多信息:
- 堆栈溢出:How to securely store a connection string in a WinForms application?
感谢@ashleedawg,我搜索了更多关于加密的线程和文章并找到了一些:
https://weblogs.asp.net/jongalloway/encrypting-passwords-in-a-net-app-config-file
和
ConnectionStrings in app.config. What about security?
现在我将代码转换为 vb.net 并根据需要修改它(部分密钥),现在我可以加密 app.config。
Private Sub EncryptConfigSection()
Dim Config As Configuration
Dim Section As ConfigurationSection
Config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None)
Section = Config.GetSection("connectionStrings")
If (Section IsNot Nothing) Then
If (Not Section.SectionInformation.IsProtected) Then
If (Not Section.ElementInformation.IsLocked) Then
Section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider")
Section.SectionInformation.ForceSave = True
Config.Save(ConfigurationSaveMode.Full)
End If
End If
End If
End Sub
虽然需要 运行 应用至少 1 次才能进行加密 运行 但这是我现在所需要的。
我所有的网格和组合框都绑定到 dataset/adapter,连接字符串在应用程序配置中设置,但连接字符串在安装到我的客户端时包含在主要输出中。我试图排除它,因为连接字符串包含我的数据库密码,但我的应用程序返回了一个异常。
<connectionStrings>
<add name="HNBS_SALON_SPA.My.MySettings.dbhnbspapuaConnectionString"
connectionString="Provider=Microsoft.ACE.OLEDB.12.0;Data Source="mydb.accdb";Persist Security Info=True;Jet OLEDB:Database Password=abcdefg"
providerName="System.Data.OleDb" />
</connectionStrings>
You can hide the connection string by encrypting it in
web.config.
See it with example here.If you mean making
web.configfile invisible for system users, it would make in invisible for your application. If you make it visible for your application, it means any user having sufficient privileges will be able to read. You can only work-around it not having connection string at all in this file. For example, you could specially design ciphered storage (say, based onXMLfile), decode it on the fly and code assignment of you connection string programmatically in your application.Encryption will be the best approach to hide the information. Why the connection string kind of information stored in
webconfigin, there is no need to compile the code again if its changed and its ease to access globally. If Encryption/Decryption method is followed be extra care while you changing theuseridandpasswordin the string.
For example you can refer this article.
(Source)
更多信息:
- 堆栈溢出:How to securely store a connection string in a WinForms application?
感谢@ashleedawg,我搜索了更多关于加密的线程和文章并找到了一些:
https://weblogs.asp.net/jongalloway/encrypting-passwords-in-a-net-app-config-file
和
ConnectionStrings in app.config. What about security?
现在我将代码转换为 vb.net 并根据需要修改它(部分密钥),现在我可以加密 app.config。
Private Sub EncryptConfigSection()
Dim Config As Configuration
Dim Section As ConfigurationSection
Config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None)
Section = Config.GetSection("connectionStrings")
If (Section IsNot Nothing) Then
If (Not Section.SectionInformation.IsProtected) Then
If (Not Section.ElementInformation.IsLocked) Then
Section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider")
Section.SectionInformation.ForceSave = True
Config.Save(ConfigurationSaveMode.Full)
End If
End If
End If
End Sub
虽然需要 运行 应用至少 1 次才能进行加密 运行 但这是我现在所需要的。