使用SecureString的一个SQL连接 [英] using securestring for a sql connection

问题描述

我想用一个SecureString的举办为数据库连接字符串。但只要我SqlConnection对象的ConnectionString属性设置为SecureString的价值肯定会成为可见的任何其他应用程序可以读取我的应用程序的内存？

I want to use a SecureString to hold a connection string for a database. But as soon as I set the SqlConnection object's ConnectionString property to the value of the securestring surely it will become visible to any other application that is able to read my application's memory?

我已经做了以下假设：
一）我不能够实例化SqlConnection对象管理的内存之外
二）托管内存中的任何字符串可以通过诸如鹰眼

I have made the following assumptions:
a) I am not able to instantiate a SqlConnection object outside of managed memory
b) any string within managed memory can be read by an application such as Hawkeye

推荐答案

您绝对正确的SecureString的并不时为您提供您需要将字符串传递到托管API，如设置ConnectionString的任何好处。

Your absolutely right the SecureString does not provide you with any benefit when you need to pass the string to a managed API, such as setting a ConnectionString.

这是真正设计用于安全的非托管API的安全通信。

It's really designed for secure communication with secure non-managed APIs.

微软理论上可以考虑加强SqlConnection对象支持安全的ConnectionString，但我认为他们是不可能这样做的原因是：

Microsoft could theoretically consider enhancing SqlConnection object to support a secure ConnectionString, but I think they're unlikely to do so because:

• SecureString的是真正的客户端应用程序，其中，例如，只用密码是建立角色由用户输入的文字，而无需在托管字符串整个密码。

• SecureString is really only useful in a client app, where e.g. a password is built character by character from user input, without ever having the whole password in a managed string.

在这样的环境中，这是比较常见的是使用Windows身份验证连接到SQL Server。

In such an environment, it's more common to be using Windows authentication for connections to SQL Server.

在一个服务器上还有其他的方法来保护SQL Server的凭据，开始通过限制授权的管理员对服务器的访问。

On a server there are other ways to protect the SQL Server credentials, starting by limiting access to the server to authorized administrators.

这篇关于使用SecureString的一个SQL连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！