How to safely connect Program to MySql Database?(Solved)

[Gustava]

I'm using VB.Net to run some programs that connect with one of my databases, but I'm worried about the security.

Out in the open it looks similar to this to connect with the database:

Code: Select all

objConn = New MySqlConnection("server=55.55.555.555; userid=name; password=555555;database=database_555")

Users sign up to use the program on the website, at sign-up Pay-Pal enters them into the database so to speak. Atm the program database connection is read-access only, since I don't have a good way of securing the connection yet which limits some functions - but it can get by for now.

I was wondering if anyone knew how to make the connection secure. I have looked at a few obscurers but wasn't sure how good they were as the few I have used before were pretty weak lol.

[Chris]

I'm not really an expert in desktop programming and especially not in Windows, but does VB.net not get compiled into another language like Java? And would this not mean that it can't be decompiled? Meaning they won't be able to read your code..

If that what I'm saying doesn't mean anything, what I would do is run a web server and make VB connect to that, then ask for a PGP key or even a simple token. Then allow the web server to access the database. This would of course make the application work slower, but that would be decent security.

[Xaleph]

I guess looking into handshake is something for you. It means you verify your source against that of the client, you have to authorize access to the user. It`s a simple protocol, but it will help you along.

You could also use seperate databases. 1 for authorization and 1 for the game.

[Gustava]

Thanks, I think I got some good ideas from this.

And as far as de-compiling, it's not the neatest but there are ways to do it to retract bits and pieces no matter what anyone tells you (Maybe not with a good compiler, still haven't ran into it). Why I want to create a safe connection and not worry about that mess :p

Thanks again

[Chris]

Ah k, well that's taught me something too

[SpiritWebb]

Has this been resolved?

[Jackolantern]

.NET is extremely easy to decompile, just like Java and Flash. The reason is because VS programs are compiled to something similar to Java's Bytecode, called CIL (also called MSIL). Visual Studio even ships with a program called ILDASM that can show the CIL of a compiled .NET assembly (aka a EXE or DLL). The .NET runtime compiles assemblies to machine code as they are run, similar to Java, in a process called "Just-In-Time" compilation (aka JIT'd).

There are methods of "obfuscating" .NET code. Visual Studio comes with a community edition of Dotfuscate, a .NET obfuscater. It is better than nothing, but if someone really wants to get into your source, they can still piece it together.

So there really are 3 options to secure your application. First is to use Dotfuscate or another obfuscater. Of course that is not 100%, but it will keep most of the riffraffs out. Second is to keep the source out of your user's hands by making it an ASP.NET application. You can use Silverlight for any rich client-side interaction you may need, and that way the database would only be manipulated on the web server. Third, and the option I know the least about, is to pre-compile your EXE's and DLL's. Supposedly there are some products out there (none that I know of that come with VS that work on non-ASP.NET) that will trick the .NET runtime into JIT'ing your code to various end platforms. The downside to this would be you would have to compile different versions for each different platform (Windows XP 32-bit, Vista 64-bit, Intel processor, AMD, etc.). The .NET runtime creates highly optimized machine code that is specifically tailored to each platform. If you do go this route, it will create machine code that is basically impossible to decompile.

[Gustava]

Great info there, I'l try out Dotfuscate for a little more protection. The third option sounds interesting but prefer one shoe fits all.


Was working earlier with creating a gateway between the user and the database like a PHP script, so the user doesn't need to know the actual database login details. Another possible idea for anyone else that runs into this later. Thanks for the brainstorming - will see how it turns out - marking solved.

[Jackolantern]

Yeah, the third option is not really for wide-distribution as it just wouldn't really work. My understanding is that pre-compiling is really only useful for ASP.NET pages and intranet applications that will only run on company-wide standard computers to secure database credentials or sensitive info. For example, if you were making an application for the Google office that was going to have part of their searching algorithm in it, then it would be worth it since you would know what platform it will be running on and the data would be valuable enough to warrant the highest security.