question

MarkSanchez-5028 avatar image
0 Votes"
MarkSanchez-5028 asked DuaneArnold-0443 answered

Best practice for connecting to SQL Server from custom C# WinForms App

We have several custom C# WinForms applications that we use in-house. All of these applications connect to SQL Server databases. For all of these apps we have typically hard-coded the connections string(s) in a module or class of either the main exe or an associated DLL. My questions were as follows:

  1. Are connection strings in general still the best practice for connecting to data on SQL Server from Windows desktop applications?

  2. If not, what better alternatives exist to read/write data from/to SQL?

  3. If connection strings are still the most modern alternative:
    a. Does having the connection strings as we do, inside compiled EXE's and DLL's offer us protection from prying eyes? I seem to recall a way for people to glean this information using MSIL or something.
    b. What alternatives exist to encrypt or obfucscate the embedded connection string info (server, database, user name , and password) to achieve a higher level of security?

Thanks

sql-server-generaldotnet-csharp
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The best practice is not to let a WinForms app connects to your SQL Server database, but build up a web service to play the man in the middle.

0 Votes 0 ·
SimpleSamples avatar image
0 Votes"
SimpleSamples answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ErlandSommarskog avatar image
0 Votes"
ErlandSommarskog answered

The thread that SimpleSamples linked to seems to have some good arguments.

I only like to add that if you use Windows authentication, there is no need to dabble with passwords in the connection string.

If the answer is "we only want users to access the database through the application", I have a discussion here: https://www.sommarskog.se/grantperm.html#interlude. (Is in the middle of a longer article, but you will get the gist anyway. You need three tiers.)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DuaneArnold-0443 avatar image
0 Votes"
DuaneArnold-0443 answered

Are connection strings in general still the best practice for connecting to data on SQL Server from Windows desktop applications?

yes

If not, what better alternatives exist to read/write data from/to SQL?

yes like using a data access layer

If connection strings are still the most modern alternative:
a. Does having the connection strings as we do, inside compiled EXE's and DLL's offer us protection from prying eyes? I seem to recall a way for people to glean this information using MSIL or something.

Not an optimal choice, becuase a change to a program must be made for a new connection and the program must be redeployed. As opposed to a config file that has an encrypted connectionstring and only the config file need be redeployed.







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.