i've got an app that needs to connect to sql server and login with a
useName/password. currently, my app saves this info in an XML file in plain
text (i.e. no encryption). everytime the app is opened, the XML file is read
and the userName/password used to establish the sql connection. is this the
normal way of doing things, or is it smarter to save these set tings
elsewhere, like the registry? if saving to XML is deemed appropriate, should
i be concerned with the plain text userName/password. i'm primarily a web
developer trying to move to desktop app development, so worrying about
saving info on the desktop is a new area for me and i'd appreciate any info
on how this is generally done.
tks in advance.
..
10  2390 
Saving things in the registry is not recommended anymore. An XML
configuration file is the usual way to go. For added security you can
encrypt the file using an MD5 encryption.
--
Bob Powell [MVP]
Visual C#, System.Drawing
Ramuseco Limited .NET consulting http://www.ramuseco.com
Find great Windows Forms articles in Windows Forms Tips and Tricks http://www.bobpowell.net/tipstricks.htm
Answer those GDI+ questions with the GDI+ FAQ http://www.bobpowell.net/faqmain.htm
All new articles provide code in C# and VB.NET.
Subscribe to the RSS feeds provided and never miss a new article.
"Dica" <ge*****@hotmail.com> wrote in message
news:Ns********************@rogers.com... i've got an app that needs to connect to sql server and login with a
useName/password. currently, my app saves this info in an XML file in
plain
text (i.e. no encryption). everytime the app is opened, the XML file is
read
and the userName/password used to establish the sql connection. is this
the
normal way of doing things, or is it smarter to save these set tings
elsewhere, like the registry? if saving to XML is deemed appropriate,
should
i be concerned with the plain text userName/password. i'm primarily a web
developer trying to move to desktop app development, so worrying about
saving info on the desktop is a new area for me and i'd appreciate any
info
on how this is generally done.
tks in advance.
.
MD5 encryption isn't recommended (by Microsoft), I'd use SHA256 or 384.
This article http://msdn.microsoft.com/library/de...SecNetHT11.asp
has some info, but leaves me confused as you then have the encrypted
connection string's encryption password in your source code, which even
with obfuscation is quite easy to get at. A bit of a Catch 22 it seems,
even using the DAPI.
The solution I'd use is a web service that returns the connection
string, with the web service method requiring credentials.
Dica,
Generally speaking, I would agree with Bob's response. The only things
I would add is that this should really be contained in the app.config file
for your app.
Like Bob said, you can use encryption algorithms to encrypt the username
and password.
The only problem is where you will store the encryption key. Because it
is easy to disassemble .NET code, if you hard code the key somewhere, it
will be easy to find, and someone can circumvent the encryption easily.
Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"Dica" <ge*****@hotmail.com> wrote in message
news:Ns********************@rogers.com... i've got an app that needs to connect to sql server and login with a
useName/password. currently, my app saves this info in an XML file in
plain
text (i.e. no encryption). everytime the app is opened, the XML file is
read
and the userName/password used to establish the sql connection. is this
the
normal way of doing things, or is it smarter to save these set tings
elsewhere, like the registry? if saving to XML is deemed appropriate,
should
i be concerned with the plain text userName/password. i'm primarily a web
developer trying to move to desktop app development, so worrying about
saving info on the desktop is a new area for me and i'd appreciate any
info
on how this is generally done.
tks in advance.
.
I've had good luck deriving the encryption key through reflection, based on
the assembly name / version string. Additional possible benefits include the
likelihood that if the assembly has been tampered with (decompiled /
recompiled) it would become invalid.
Peter
--
Co-founder, Eggheadcafe.com developer portal: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
"Nicholas Paldino [.NET/C# MVP]" wrote: Dica,
Generally speaking, I would agree with Bob's response. The only things
I would add is that this should really be contained in the app.config file
for your app.
Like Bob said, you can use encryption algorithms to encrypt the username
and password.
The only problem is where you will store the encryption key. Because it
is easy to disassemble .NET code, if you hard code the key somewhere, it
will be easy to find, and someone can circumvent the encryption easily.
Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"Dica" <ge*****@hotmail.com> wrote in message
news:Ns********************@rogers.com... i've got an app that needs to connect to sql server and login with a
useName/password. currently, my app saves this info in an XML file in
plain
text (i.e. no encryption). everytime the app is opened, the XML file is
read
and the userName/password used to establish the sql connection. is this
the
normal way of doing things, or is it smarter to save these set tings
elsewhere, like the registry? if saving to XML is deemed appropriate,
should
i be concerned with the plain text userName/password. i'm primarily a web
developer trying to move to desktop app development, so worrying about
saving info on the desktop is a new area for me and i'd appreciate any
info
on how this is generally done.
tks in advance.
.
It almost goes without saying that a .NET application that has any sort of
software activation or licensing technology *must* be obfuscated.
Since I got the dotfuscator professional I forget whether the community
edition that comes with VS does string encryption.
--
Bob Powell [MVP]
Visual C#, System.Drawing
Ramuseco Limited .NET consulting http://www.ramuseco.com
Find great Windows Forms articles in Windows Forms Tips and Tricks http://www.bobpowell.net/tipstricks.htm
Answer those GDI+ questions with the GDI+ FAQ http://www.bobpowell.net/faqmain.htm
All new articles provide code in C# and VB.NET.
Subscribe to the RSS feeds provided and never miss a new article.
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.com> wrote in
message news:%2****************@TK2MSFTNGP10.phx.gbl... Dica,
Generally speaking, I would agree with Bob's response. The only things
I would add is that this should really be contained in the app.config file
for your app.
Like Bob said, you can use encryption algorithms to encrypt the
username and password.
The only problem is where you will store the encryption key. Because
it is easy to disassemble .NET code, if you hard code the key somewhere,
it will be easy to find, and someone can circumvent the encryption easily.
Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"Dica" <ge*****@hotmail.com> wrote in message
news:Ns********************@rogers.com... i've got an app that needs to connect to sql server and login with a
useName/password. currently, my app saves this info in an XML file in
plain
text (i.e. no encryption). everytime the app is opened, the XML file is
read
and the userName/password used to establish the sql connection. is this
the
normal way of doing things, or is it smarter to save these set tings
elsewhere, like the registry? if saving to XML is deemed appropriate,
should
i be concerned with the plain text userName/password. i'm primarily a web
developer trying to move to desktop app development, so worrying about
saving info on the desktop is a new area for me and i'd appreciate any
info
on how this is generally done.
tks in advance.
.
"Bob Powell [MVP]" wrote: Saving things in the registry is not recommended anymore. An XML
configuration file is the usual way to go. For added security you can
encrypt the file using an MD5 encryption.
Since when, and where at? The xp logo compliance doc says to use the reg
unless you've got >64k of data.
> Since when, and where at? The xp logo compliance doc says to use the reg unless you've got >64k of data.
Let's put it this way. A .Net application can be extremely portable. All it
necessarily depends on is the .Net Framework. This allows for such niceties
as XCopy Deployment. Using the System Registry creates an external
dependency. At that point you lose that portability, and XCopy Deployment
capability.
Using the System Registry has no advantage over using an XML configuration
file. Registry values can be read as easily as config file values. Config
files can be encrypted just like Registry entries.
And finally, the System Registry stays cleaner when applications don't use
it, depend on it, leave registry entries behind when they are gone, etc.
But hey, the Registry police aren't going to come knocking on your door if
you choose to use it. And logic has never stopped anyone from doing as they
wished.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
A watched clock never boils.
"Dan Neely" <Da******@discussions.microsoft.com> wrote in message
news:0E**********************************@microsof t.com...
"Bob Powell [MVP]" wrote:
Saving things in the registry is not recommended anymore. An XML
configuration file is the usual way to go. For added security you can
encrypt the file using an MD5 encryption.
Since when, and where at? The xp logo compliance doc says to use the reg
unless you've got >64k of data.
"Kevin Spencer" wrote: Let's put it this way. A .Net application can be extremely portable. All
it necessarily depends on is the .Net Framework. This allows for such niceties
as XCopy Deployment. Using the System Registry creates an external
dependency. At that point you lose that portability, and XCopy Deployment
capability.
But hey, the Registry police aren't going to come knocking on your door if
you choose to use it. And logic has never stopped anyone from doing as they
wished.
Relax. Personally I think the whole dlls outside the app folder+registry
concepts were a mistake because they broke xcopy portability when moving to a
new system. I know .net did away with the former, I was unaware that the
company line had changed regarding the registry, and was wondering when it
had happened.
Even with obfuscating, the key is still in there. So it depends how
secure you want your application, and what kind of level of security
you want to protect your data with.
I know that where I work this level of security wouldn't be acceptable
with the clients we have. This is why I suggested the web service
method as the most secure means for ensuring the connection string only
goes to those people who are allowed it, and user access can be turned
off very easily.
Of course this may be "over the top" for what you're doing, so a simple
encryption of the connection string, and decryption inside the code may
well suffice.
Just out of interest, how would you unencrypt and MD5 encrypted file?
:o]
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Sam Carleton |
last post by:
It is my understanding that in .Net the registry is not the
prefered place to save application settings. What has Microsoft
put in place to replace it? I thought it was the .config file,
but I...
|
by: Stefano |
last post by:
I've a form windows with a lot of textbox controls.
How can I do if I have to save all text proprety of this controls in an
external file, to reload them in future?
|
by: ssg31415926 |
last post by:
I've been trying to save a hashtable in an Application Settings file.
I need to save settings for each tabPage on a form. Trouble is, the
number of tabPages is determined at runtime, so I can't...
|
by: Paul Cheetham |
last post by:
Hi,
I am developing an application that needs to store some machine-specific
settings. The application is going to be published on the network in
order to keep the clients on the latest version....
|
by: John |
last post by:
I have a Win app in C#. I want to save the data the user enterere into
textboxes and the selections the user made to comboboxes when the user close
the app. So next time when the user launches the...
|
by: Dave |
last post by:
I have some data values that will will rarely change over the life of the
program. I don't think it is wise to save it in a database. Is it ok to save
them in Properties.Settings if I have many...
|
by: Richard Lewis Haggard |
last post by:
I have an application that can't use the registry to save various user
options and application settings. My first thought was to simply use an
application configuration file but this approach seems...
|
by: raz230 |
last post by:
I have a vb.net project. I am using app.config to store some data
that I want the user to be able to change. I do this:
My.Settings.Host = txtURL.text.trim
My.Settings.Save
My.Settings.Reload...
|
by: Scott M. |
last post by:
If I add a setting to my project in the settings designer and mark it as a
user setting, and then access and modify the setting via code, where is the
updated setting stored so that it won't be...
|
by: =?Utf-8?B?VGVycnk=?= |
last post by:
I am using the My.Settings object to save user settings. During testing, I
want to 'zero' out what has been saved to start with the defaults again.
Where doies the framwork actually persist these...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
