Search code examples
c#mysqlsqlclassclass-library

Storing SQL credentials correctly


First off, this is an educational question - not something I am implementing in a productional application since I am learning the basics of C#.

Currently I have a solution containing 2 (actually 3, but one is unit testing) projects;

  • Form
  • Class Library

Inside the Class Library I have a class called Database.cs and it communicates with a MySQL database. I don't directly communicate with this Database.cs class, but other classes inside the Class Library do (for example Products.cs). Though, I need credentials to connect to this MySQL database and I am not sure which way to go to do it safely.

Storing it inside the Class Library / hard-coding the credentials inside the class.

This wouldn't make sense to me since a user can easily grab the DLL and he technically got the credentials to the database.

Pass the credentials through the form to a class (like Products.cs) and that class passes it on while initializing the Database object

Could work, tried and it works but I am not sure if this is the 'neatest' way to do it.

Write a static class that contains properties with the credentials

Again, if I create this static class inside the Class Library I am pretty much off the same as my first example. If I would create this static class inside the Form, I require to add a reference to the Form-project from my Class Library (not the way I want it to be).

I tried looking stuff up but I am apparently not doing it right. Is there any other way to do this?


Solution

  • First of all never hard-code credentials into code because credentials tend to change over time so that means you will have to recompile and redeploy your application each time SQL credentials change.

    Usually all information needed to connect to database is stored in application configuration file in a form of connection string.

    If your application is web application then you're good to go because web.config (a web application configuration file) is stored on a web server and is never served to web requests. But if your application is windows forms application, then security considerations kick in meaning that any user who uses your app could peek into application configuration file and get credentials. If it would be Microsoft SQL I would advise to use Windows Authentication. But with MySQL I guess you're doomed to store user name and password into connection string. Then I would suggest securing your connection string by encrypting it.

    Also if your users can/have to authenticate against MySQL server (enter MySQL username and password), then you could use a connection string template and substitute certain parts of it with user name and password:
    app.config

    <connectionStrings>
        <add name="MyApplication" connectionString="Location=myServerAddress;Data Source=myDataBase;User ID={0};Password={1};
    Port=3306;Extended Properties=""""; />
      </connectionStrings>
    

    C# code

    var username = textboxUsername.Text;
    var password = textboxPassword.Text;
    
    var connectionString = string.Format(ConfigurationManager.ConnectionStrings["MyApplication"].ConnectionString, username, password)
    // at this point you have a connection string whitch could be passed to your Products class