Storing SQL log on details in VB.net application

Adam_151 · 10 Aug 2019 at 19:55

Hopefully there is a simple solution to this sort of issue:

If I have a windows application written in VB.net which needs to log onto other services, an SQL database, or the web based API of another system, how would one typically detail with storing the log on details. Hard coding thme is obviously bad practice, any sort of storing in an external config file would be a security risk unless it could somehow be encrypted?

At the moment there is only a need to log into the external service, the username is stored in a config file, and the password is requested from the user each session when they first conenct to the external service. But its soon going to be necessary to have an SQL database associated with the program and that causes problems with what to do with the log in details for that

sb89 · 10 Aug 2019 at 22:55

Create a web service that the clients interact with? This way only the web service will have credentials to the database.

peterwalkley · 11 Aug 2019 at 09:12

Web service is a good shout as it can be locked down by a firewall.

Also only give the database user the minimum permissions needed for the application - you likely don't want create and drop tables and anything to do with changing users to be allowed. Permission sets and commands will depend on what back end database you are using.

For encrypting a config file, public/private key is usually the way to go. I don't use .net, but there must be a utility library out there to wrap this up for you.

Adam_151 · 18 Aug 2019 at 07:46

Thanks for your replies, sorry its beein a while before I've got back, things have been a bit busy.

Just to clarify what you mean, you mean ahve the web servcie as a go between, between the program and the database? so that if say a new record is created, the program sends the data to teh web servcie and tells it to create it, the same for all opperationss. And not that the program connects with a web service (over https) and sends the users login and password, and if that is right, provides a suitable database login and password back again.

It also doesn't help that there is planned to be a mix of proper sql and sql lite going on

Dolph · 18 Aug 2019 at 16:14

If its all Microsoft driven, you can use active directory to authenticate and manage access to sql server.