Hide connectionstring in app.config file for windows form

Topics: Data Access Application Block
Jul 3, 2015 at 1:15 AM
I have been using MEL 6.0 for web-based applications. Now, I am trying to use this Data Access Application block in windows form. All the connection strings are inside the app.config file. However, when we deploy, users are able to view the content of the app.config where all the sensitive info about database connection.

Is there a way to manage these connectionstrings? Should it be possible to include these connectionstring inside the exe file ?

Jul 3, 2015 at 2:13 AM
Best would be to not include database credentials in the configuration file and use Integrated Security instead. You could setup a Windows Group (assuming you are on a domain) so that managing SQL logins is not a pain. See https://stackoverflow.com/questions/2486842/how-to-ensure-db-security-for-a-windows-forms-application

You could look at encrypting the configuration during installation (DPAPI) or use a programmatic EL configuration where the encrypted password is read from the config at startup, decrypted and the Data Block initialized. These approaches "hide" the credentials from casual prying eyes but are not entirely secure.

Hard coding the connection string inside the application is not particularly secure. Casual users might not see it but it would be visible in the assembly.