MYSQL 的 C# 安全连接信息 [英] C# secure connection info for MYSQL

问题描述

我即将发布一个使用数据库连接来存储数据的小工具.问题是:如何防止人们对我的代码进行逆向工程并获取Username 和Password 以访问数据库?

I'm about to release a small tool which uses a database connection for storing data. The question is: How can I prevent people reverse engineering my code and getting the Username and Password to gain access to the database?

对于早期的项目(仅由我自己使用)，我将 connection-string 定义为应用程序中的全局变量.但这非常不安全，因为从 exe 中取出这个字符串只需要几分钟.

For earlier projects (which were used only by myself), I defined the connection-string just as a global variable inside my app. But that's highly unsafe as it only takes minutes to get this string out of the exe.

还有很多混淆代码的方法可以颠倒.

Also a lot of methods to obfuscate code can be reversed.

我真的很喜欢提供代码，但我不知道该发布什么.这更多是关于理论的问题.编码是我自己负责的部分.

I am really a big fan of providing code but I don't know what to post. This is more a question about the theory. Coding is the part I'll take care of myself.

这是我的一个小想法，我不太喜欢:
我可以在服务器上放置第二个工具.真正的应用程序将连接到第二个工具，交出数据，第二个数据将最终连接到我的数据库本身.这样，连接字符串将存储在第二个应用程序中，没有人可以获取它.

Here is a small idea from me which I don't really like that much:
I could place a second tool on the server. The real app would connect to this second tool, give over the data and the second data would finally connect to my database itself. This way the connection-string would be stored inside the second app where nobody can grab it.

推荐答案

事实是，将敏感信息存储在客户端计算机上很容易受到对数据库的攻击.您可以查看的建议是您的应用程序的三层架构模型 (http://en.wikipedia.org/wiki/Multitier_architecture#Three-tier_architecture).在三层架构中，你有你的表示层(你的应用程序)、你的逻辑层(这一层将是所有客户端访问你的数据库的中央进站)，你有你的数据库层(服务器您的数据库在哪里).使用这种架构，您可以确保存储和检索的所有数据都来自单一来源和高级别安全性.

The fact of the matter is that storing sensitive information on the client machine is highly vulnerable to attacks against your database. A suggestion you can look into is a Three-tier architecture model for your application (http://en.wikipedia.org/wiki/Multitier_architecture#Three-tier_architecture). In a Three-tier architecture, you have your presentation layer (your application), your logic tier (this layer will be the central pit stop for all your clients will have access to your database), and you have your database layer (the server where your database is). With this architecture, you can ensure all the data being stored and being retrieved from is from a singular source and high level security.

在过去(现在仍然如此)，程序员必须创建自己的套接字服务器或进行高级网络编程来开发这样的解决方案，但是微软已经开发了一个名为 Windows Communication Foundation (WCF) 它消除了编写自己的套接字服务器的痛苦，让您专注于开发自己的实现.不过请注意，WCF 默认情况下是安全的，但没有理由不研究使您的产品强大以抵御黑客的方法(例如知道您将使用什么协议，您采取什么安全措施)将使用(传输与消息等)，在客户端加密数据，以便潜在病毒不会发现敏感信息等).话虽如此，WCF 是一项高度完善的服务，并且非常容易启动和运行.

In the past (and still in the present), programmers would have to create their own socket servers or do advance network programming to develop a solution like this, however Microsoft has developed a tool called Windows Communication Foundation (WCF) which takes away the pain of coding your own socket server and lets you focus on developing your own implementation. Be warned though, WCF is secure by default, but it is no excuse not to research into ways of making your product robust against hackers (like knowing what protocol you are going to use, what security measures you are going to use (Transport vs Message, etc), encrypting data on client side so potential viruses don't uncover sensitive informations, etc). In saying that, WCF is a highly polished service and is really easy to get something up and running.

可以在此处找到关于 WCF 的优秀初学者视频教程:https://www.youtube.com/playlist?list=PLhq7kqloVlM-bI9W_7iDZhObAeyrFt1y_

A good beginner video tutorial on WCF can be found here: https://www.youtube.com/playlist?list=PLhq7kqloVlM-bI9W_7iDZhObAeyrFt1y_

视频的播放列表消失了，但视频本身仍然存在.只需搜索他的所有视频，寻找关键字WCF"

The playlist for the videos are gone, but the videos themselves are still there. Just search through all his videos looking for the keyword 'WCF'

这是链接:https://www.youtube.com/user/JesseDietrichson/featured

这篇关于MYSQL 的 C# 安全连接信息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！