I connect to the database through the code. I know it is possible through the API for PHP, but I do not know the language, the principles of writing such an API and there is no time at all.

It scares me that the UserID and Password are specified directly in the code. There are several roles in the database: teachers and students. I would not want one smart student to recognize these teacher roles.

I read, google, found out that you can use SSH. And a number of questions arose:

  1. SSH will only secure the transmission, but the data in the code will remain explicit. How to store them, so that when decompiling, they were not found?
  2. How to raise ssh? Can you recommend which ones? I tried on some video tutorials, but there were always mistakes when I tried to open a connection through Kitty or Putty. Errors, even through Google, I have nothing to say.
  3. Does ssh need an external ip address?

If you talk nonsense, then correct it, I’m only learning how to SSH and MySQL connection for 2 hours.

    2 answers 2

    It is certainly bad to store credentials (login / pass) in the code, especially if it is an independent program that can be decompiled. About protection against decompilation already answered.

    There are a couple of fairly standard tricks that allow you not to store credentials in the program code.

    1. During the launch of the program, we ask the user for his personal credentials to connect to the database. This is the easiest way, and no data other than technical information such as the server address and the database name is stored. Of the minuses - the need to create and configure for each user an account on the database server, well, with roles, too, is not so simple, because You can set up permissions to perform operations with the base, but your application and roles will have to be nailed with screws.

    2. Use a database server account with the most limited rights to connect and authorize. After the user credentials have been verified and correlated with the roles, obtain a server account suitable for the user role from the database and use it for all other database operations. To authorize and obtain the necessary credentials, you can write a simple stored procedure in the database or use reversible encryption to store the credentials in a regular table. The disadvantage is obvious - a more complex authorization system, but this is offset by the flexibility for any needs of your application.

    3. Connect to the database not directly, but through a WCF service, for example. Thus, the entire responsibility for the safe storage of server credentials lies with the service that lives on the server and, in turn, acts as an intermediary between the database and your application. The disadvantage is the need to write a service, advantages - flexibility, and if this is a WCF service, then it is done on the same .NET and C #.

    4. You can also apply a combined approach, for example, from points 2 and 3. The application accesses the service during authorization and receives from the service a connection string to the database that corresponds to the user's role. In this case, we simplify the service code from step 3 and there is no need to be wise with storing and returning the credentials of the database server from step 2.

    Perhaps there are other ways, but, offhand, only these were remembered.

      1. SSH is Secure Shell Protokol, which is commonly used to manage terminal servers. Of course, through some cleverly twisted place, you can configure the connection via SSH, but this is most likely not what you need. SSH may be more useful for managing the MySQL server, although it can be used for encryption, but it is difficult ... It is easier to use SSL to encrypt traffic. To do this, you will need to configure the MySQL server itself in the appropriate way. Here is the instruction.

      2. If all of you decided to raise SSH, then the easiest way to do this is to use Linux, where to install the MySQL server. In Linux SSH, this is his soul, you can say. Here is the instruction for the simplest (in my opinion) distribution.

      3. It depends on where you are going to access your SSH server. If from a local network, it is not needed; if via the Internet, it is needed.

      But in fact all this does not solve your problems. You want to interact with the database, the passwords from which you want to "hardcore". This is not PHP and your program code, as well as passwords, without some skills, students will not open. To do this, they at least have to learn what a decompiler is and how to use it.

      But still the question is interesting, but how can you protect yourself from such problems? In my opinion, one of the easiest ways to protect this is to record connection data in App.config (or Web.config, if it's a web project) and encrypt this data. Here is an example of how to encrypt App.config , and here is the official instruction from Microsoft, on protecting Connection Strings in web projects.

      You can also google on obfuscation code. There is a list of obfuscators for .NET. Another disadvantage is that the program code swells at times. For example, I wrote a test program:

      namespace ConsoleApplication1 { using System; public class Program { private static void Main(string[] args) { var Login = "admin"; var Passwort = "Password"; var test = Login + ":" + Passwort; Console.WriteLine(test); Console.ReadLine(); } } }

      The compiled program "weighs" 5kb. Having passed it through the confuserEx obfuscator with the configured constant encryption, I received 53kb. The decompiler could no longer open this file at all.

      With some settings, the file grew to 46kb and the code was changed beyond recognition ... In the decompiled program, I could no longer find the constants specified in the code.

      For decompiling, I used dotPeek from JetBrains. But the obfuscator project file:

       <project outputDir="C:\Dev\Test\ConsoleApplication1\bin\Obfuscated" baseDir="C:\Dev\Test\ConsoleApplication1\bin\Release" xmlns="http://confuser.codeplex.com"> <rule pattern="true" preset="maximum" inherit="false"> <protection id="constants" /> </rule> <module path="ConsoleApplication1.exe" /> </project>
      • Thanks for the links! - Uliyan Romanov
      • I added an example with obfuscator here. In principle, in terms of the speed of implementation of this solution, this method suits you the most. 20 minutes from strength and already your students cannot decompile a code without deep knowledge ... - Walter Nuss