Protecting hard coded strings from decompilation

I am writing an application that needs to 开发者_高级运维connect to a MySQL database on an external server. I need a "hard coded" string to connect to the database which contains user and password details. This is an issue when people can decompile my application to view almost exactly the code that I originally typed, which could give them direct access to my database.

Is there any way of preventing people from viewing these strings with code? I'd prefer not to use obfuscators.

Many thanks, Steve

Rather than connecting directly to a database, you can send calls to a web service on your side, and the web service and redirect to the database as needed. This has the advantage that, in the event you need to change a connection string, you can redeploy your web service without affecting your client apps.

Encrypt the string, store that. Decrypt as part of the connection process.

Given that you are hard coding authentication details to your database in your client application, you must be authenticating your users by some other mechanism. Otherwise you have a huge security hole - anyone who can get their hands on your binaries can access the database (if this is not a problem for you then there is no need to hide the database password in the first place since that wouldn't achieve anything).

If your database cannot use the same authentication mechanism, then you will have to connect using a specific account, as you describe. However, this connection should be made via a proxy which can authenticate your user. For example a web service which sits between the client and the database and performs database calls on behalf of the client.

I would say that Obfuscator you will need to use by the way, cause even if you encrypt the string like absolutely correct suggests @jfar, one easily can use reflector to figure out your encryption and decription techniques.

Of course one if really wants, also is able to hack from obfuscated code too, but it's always about creating stuff difficult enough for someone that would not spend his time to hack your app.

Regards.

Warning: you'll probably end up regretful if you write an application that directory accesses your database (i.e. WinForms/WPF app connected to MySQL database via ODBC). I recommend creating a web service as advised in the accepted answer. However, if you don't have the luxury of creating one...

Another option is to put the connection string into the configuration file (if you haven't already) and then encrypt the entire configuration file, or just the parts you want to secure.

• RsaProtectedConfigurationProvider Class

• DpapiProtectedConfigurationProvider Class