Config file settings

[Guest]

I use the app.config file to store my SQL Connection String settings (currently using integrated security)

e.g.

<add key="MyDatabase" value="data source=MyPC\Development;initial catalog=MyDatabase;Integrated Security=SSPI;packet size=4096" /

Whilst I will use SQL authentication for some PCs I do not wish for the UID or PWD to be revealed on a live app
How can I use the config file safely to include SQL Authentication without revealing them in the released config file

Thank
Gerr

 

[Palo Mraz]

Whilst I will use SQL authentication for some PCs I do not wish for the
UID or PWD to be revealed on a live app.

How can I use the config file safely to include SQL Authentication without

revealing them in the released config file ?

Gerry, you might want to checkout this:

http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ms/2002-01/0066.html

It's about web apps, but I think it might be wise to use the advice
(use integrated SQL Server security) for client apps as well.

Regards,

Palo

PS: Does your client apps connect directly to SQL Server? If yes, you
might want to add a tier or two

--
http://dact.lamarvin.com/
AutoComplete component for WinForms applications. Easy to integrate, easier
to use!
http://www.vbinfozine.com/
An ordinary VB developer shares his own successes and failures

 

[EricJ]

you can keep an incrypted value in the config file decrypting it as you read
it in your app, if you yust want to prevent direct reading the easyest is to
add a number to the ascii value of the chars.
i know someone here is working on something to encrypt our own type of
config file, you could try that 2. Its all up to you and how safe do you
want to be.

eric

I use the app.config file to store my SQL Connection String settings

(currently using integrated security):

e.g.

<add key="MyDatabase" value="data source=MyPC\Development;initial

catalog=MyDatabase;Integrated Security=SSPI;packet size=4096" />

Whilst I will use SQL authentication for some PCs I do not wish for the

UID or PWD to be revealed on a live app.

How can I use the config file safely to include SQL Authentication without

revealing them in the released config file ?

 

[Raymond Lewallen]

Gerry,

Look at System.Security.Cryptography namespace.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/
frlrfSystemSecurityCryptography.asp

HTH,

Raymond Lewallen

I use the app.config file to store my SQL Connection String settings

(currently using integrated security):

e.g.

<add key="MyDatabase" value="data source=MyPC\Development;initial

catalog=MyDatabase;Integrated Security=SSPI;packet size=4096" />

Whilst I will use SQL authentication for some PCs I do not wish for the

UID or PWD to be revealed on a live app.

How can I use the config file safely to include SQL Authentication without

revealing them in the released config file ?