How to publish winform application

ravi kumar 331 Reputation points
2022-04-25T06:45:05.653+00:00

Hello all,

Pls guide me how to publish my winform application through visual studio 2022 , as i have user id and password of my sql databse in app.config file , i need you help to publish my winform application in a most secured way .

Windows Forms
Windows Forms
A set of .NET Framework managed libraries for developing graphical user interfaces.
1,869 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,628 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Karen Payne MVP 35,386 Reputation points
    2022-04-26T16:26:48.323+00:00

    Addressing app.config security, perhaps the following may assist.

    using System;
    using System.Configuration;
    using System.IO;
    
    namespace SecureConnection
    {
        public class Protection
        {
            public string FileName { get; set; }
            public Protection(string executableFileName)
            {
                if (!(File.Exists(string.Concat(executableFileName, ".config"))))
                {
                    throw new FileNotFoundException(string.Concat(executableFileName, ".config"));
                }
                FileName = executableFileName;
            }
            private bool EncryptConnectionString(bool encrypt, string fileName)
            {
                bool success = true;
                Configuration configuration = null;
    
                try
                {
                    configuration = ConfigurationManager.OpenExeConfiguration(fileName);
                    var configSection = configuration.GetSection("connectionStrings") as ConnectionStringsSection;
    
                    if ((!configSection.ElementInformation.IsLocked) && (!configSection.SectionInformation.IsLocked))
                    {
                        if (encrypt && (!configSection.SectionInformation.IsProtected))
                        {
                            // encrypt the file
                            configSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
                        }
    
                        if ((!encrypt) && configSection.SectionInformation.IsProtected) //encrypt is true so encrypt
                        {
                            // decrypt the file. 
                            configSection.SectionInformation.UnprotectSection();
                        }
    
                        configSection.SectionInformation.ForceSave = true;
                        configuration.Save();
    
                        success = true;
    
                    }
                }
                catch (Exception)
                {
                    success = false;
                }
    
                return success;
    
            }
            public bool IsProtected()
            {
                var configuration = ConfigurationManager.OpenExeConfiguration(FileName);
                var configSection = configuration.GetSection("connectionStrings") as ConnectionStringsSection;
                return configSection.SectionInformation.IsProtected;
            }
            public bool EncryptFile() => File.Exists(FileName) && EncryptConnectionString(true, FileName);
    
            public bool DecryptFile() => File.Exists(FileName) && EncryptConnectionString(false, FileName);
        }
    }
    
    0 comments No comments

  2. Bruce (SqlWork.com) 61,186 Reputation points
    2022-04-26T17:35:46.717+00:00

    encrypting the appsettings is not a secure solution in this case.

    as the encryption must be done on the user machine under their account, it would require that the password be a variable in program (then why use app settings), or the user enter it, or the app ship with an unencrypted app settings, that is encrypted the first time used, or the installer program encrypt. still not very secure.

    because the user has the key, they can always decrypt themselves, so at best this is obfuscation.

    if you pre-encrypt the appsettings, then the program must have the key store internally, and thus available via decompiling.

    as suggested the best options are to have the user login to sqlserver as themselves, or use a webapi as a proxy. if you allow them to login as themselves, you should use stored procs, and have the procs validate their security, the same with the webapi.

    0 comments No comments