6 Replies - 2740 Views - Last Post: 31 October 2011 - 12:57 AM Rate Topic: -----

#1 mattosse  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 8
  • Joined: 22-October 11

c# MySQL connections, Are they safe?

Posted 22 October 2011 - 12:13 PM

Hello everybody, Im new to this forum and so on yea..

Iwanted to ask a simple question.

Is mysql connections and queries safe for your application? Ive got recomendations to not use them so Ive always bulit simple http request between php scripts and my application instead.

Thanks in advance
Is This A Good Question/Topic? 0
  • +

Replies To: c# MySQL connections, Are they safe?

#2 brep  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 23
  • View blog
  • Posts: 169
  • Joined: 26-August 11

Re: c# MySQL connections, Are they safe?

Posted 22 October 2011 - 01:15 PM

According to this article:


Quote

Security

An important aspect of establishing a connection to a computer is security. Even if you are developing an application that would be used on a standalone computer, you must take care of this issue. The security referred to in this attribute has to do with the connection, not how to protect your database.

To support security, the connection string of the MySqlConnection class includes an attribute called Persist Security Info that can have a value of true, false, yes, no.

If you are establishing a trusted or simple connection that doesn't need to be verified, you can assign a value of true. Here is an example:

private void btnLoad_Click(object sender, System.EventArgs e)
{
	MySqlConnection cnnVideos = new MySqlConnection(
			"Network Address=localhost;Initial Catalog='Famille';Persist Security Info=true;");
}



If the connection exists already, to find it out, remember that you can can get the value of the MySqlConnection.ConnectionString property. If you had set the Persist Security Info attribute to true, the person getting this information may see the username and the password that were used to establish the connection. If you don't want this information available, you should set this attribute to false or no. If you do this, when somebody inquires about the connection string, he or she would not get the username and the password.


So basically, it depends on how you set the connection's security property.

Here is the link to another article:
Click Here

In conclusion, mySQL connections can be safe as long as you connect in a secure fashion.

Please note: I only know this through recent google searches. I am not an expert in this.

This post has been edited by preb: 22 October 2011 - 01:16 PM

Was This Post Helpful? 0
  • +
  • -

#3 mattosse  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 8
  • Joined: 22-October 11

Re: c# MySQL connections, Are they safe?

Posted 22 October 2011 - 01:56 PM

Well this article is describing SSL, well I mean if the program it self is safe from any simple hacking methods. Since Im an expert in security in php Im obsessed with security in other languages aswell including c# so I want my application as secure as possible due to Im publishing my applications to 10.000 people

This post has been edited by JackOfAllTrades: 23 October 2011 - 02:21 PM
Reason for edit:: Removed unnecessary quote

Was This Post Helpful? 0
  • +
  • -

#4 Curtis Rutland  Icon User is online

  • (╯°□°)╯︵ (~ .o.)~
  • member icon


Reputation: 4480
  • View blog
  • Posts: 7,803
  • Joined: 08-June 10

Re: c# MySQL connections, Are they safe?

Posted 22 October 2011 - 05:49 PM

Totally dependent on situation. For instance, if this is an internal application for a company, there's nothing wrong with using a direct connection, if you believe the company's network is secure.

If this is an internet-facing application, like something you're delivering to consumers, that must talk to a database on your server, then you most definitely should not open your database to access from the internet. That's a huge attack surface.

So, it depends. One suggestion I have: look into WCF. You can make a SOAP web service with WCF, and you never have to write a line of XML for it. This is how I do data access stuff on most of my C# applications.
Was This Post Helpful? 1
  • +
  • -

#5 satis  Icon User is offline

  • D.I.C Head

Reputation: 82
  • View blog
  • Posts: 231
  • Joined: 26-May 11

Re: c# MySQL connections, Are they safe?

Posted 22 October 2011 - 09:45 PM

Security is a very complicated topic. Most of the time when people are talking about security issues with web pages, they're talking about problems with SQL injection attacks. That's not the only method for an attacker to cause you damage, but I think it's the most common.

However, this isn't something specific to MySQL, it extends to any database requests that allow user inputs. For instance, allowing a user to put data into a form field in HTML and then using the input to build a SQL statement's WHERE clause. In order to make sure that someone isn't passing you bad data in an attempt to do a sql injection, you typically need to clean your inputs. One of the better ways in PHP to do this is with MySQLi or PDO and using prepared/parameterized statements. You can also do prepared statements in .net, though the syntax is obviously different.

Here's a blog about it.
http://prepared-stat...statements.html

I find myself using prepared statements in both my PHP and C#-based websites. It's easier than trying to clean user input. Ultimately, though, the best way to secure your site depends on the specific implementation. For instance, if I'm going to build a select based off of an enum of some sort (like a select statement in HTML), I just test the input to verify it's really part of that enum. If it's not, I throw an error, regardless of whether or not it matches the proper type or whatever. Similarly, if I'm expecting an integer input, I just Int32.Parse it (similar to (int)$var in PHP).

To get back to the base question, I don't think that connecting to MySQL from C# is any less inherently insecure than connection to MS-SQL, SQLite, or any other db with ADO.Net support.

This post has been edited by satis: 22 October 2011 - 09:46 PM

Was This Post Helpful? 0
  • +
  • -

#6 mattosse  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 8
  • Joined: 22-October 11

Re: c# MySQL connections, Are they safe?

Posted 30 October 2011 - 08:03 AM

OK thanks, Currently im using only http requests to webscripts i have prepared for my site like login.php?fromapplication=1&key=SERCERTKEY&username=etc&password=etc&key2=anotherkey

Works fine but its accessible outside the program aswell if you know the url.
Was This Post Helpful? 0
  • +
  • -

#7 Ändrew  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 25
  • View blog
  • Posts: 312
  • Joined: 21-April 08

Re: c# MySQL connections, Are they safe?

Posted 31 October 2011 - 12:57 AM

Yes, you should send a unique useragent or some sort of key that will be unique to those requests.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1