Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Best Practice for flexible data connection
Message
From
14/01/2011 18:04:45
Gunnar Philipp
Texas, United States
 
 
To
14/01/2011 13:07:34
Viv Phillips
Hay-On-Wye, United Kingdom
General information
Forum:
ASP.NET
Category:
Installation, Setup and Configuration
Title:
Re: Best Practice for flexible data connection
Environment versions
Environment:
VB.NET 1.1
OS:
Windows XP SP2
Network:
Windows 2003 Server
Database:
MS SQL Server
Application:
Desktop
Miscellaneous
Thread ID:
01496211
Message ID:
01496249
Views:
51
>>>>Hello Everybody.
>>>>
>>>>I have designed an application which is already fully functional on my system. I want to adjust it now to be able to make it a shrink wrap app.
>>>>
>>>>Currently that app is connecting to my MS SQL 2005 database. For it to be a shrink wrap the database connection should be flexible. Maybe the end customer already has SQL (any version) installed or maybe my app needs to install a light sql version, such as sql express or so.
>>>>
>>>>For this process I have a few questions:
>>>>
>>>>
  • Which light weight sql do you recommend?
    >>>>
  • Do I just need to change the connection string to the different database (given the table and fields are the same)?
    >>>>
  • Where do I change the connection string in the code? Or rather, should I have instead of the connection string a function call which returns the connection string?
    >>>>
  • How about username/password security? In my case here I am connection to a database which also has our enterprise data. I don't know if the password is encrypted and/or hidden - can someone get to it? How do I ensure this is save?
    >>>>
  • Any other thoughts concern to bring me on the right track?
    >>>>
    >>>>Thank you for all your great help!
    >>>
    >>>If you want to play outside the MS sandbox then, obviously, switching connection strings isn't going to be enough.
    >>>
    >>>Switching between SQL2000/2005/2008 and SQL Express shouldn't be an issue but building an install process that allows users to, for example, select an existing SQL instance or install a dedicated SQL Express server in a user-friendly way is not trivial.
    >>>
    >>>As far a 'lightweight' goes - it depends on your app. If you can get by with CE then it greatly simplifies things. A 2Mb footprint instead of 200Mb. No installation beyond including a couple of .NET DLLs with your app. A few downsides though such as no support for SPROCs etc. Here's an (oldish) white paper comparing SQL Express to CE:http://download.microsoft.com/download/A/4/7/A47B7B0E-976D-4F49-B15D-F02ADE638EBE/Compact_Express_Comparison.doc
    >>
    >>
    >>Hello Viv
    >>
    >>My plan is to stay with the MS sandbox.
    >>
    >>in regards to installing or/and selecting an existing db, i don't foresee too much problems. but we will see when i get to that. my concerns will be more on the installshield side (the free version) because i have not used it before and i am not sure where to do certain things. But I am sure you will hear from me when the time comes. :-)
    >>
    >>I think i can go with CE, because this is very simple data storage - no triggers, procedures, etc. - so i should be ok.
    >>
    >>I am very concerned about password security. Craig had mentioned the app.config file as the storage for the connection strings. So i checked that one and the final AppName.exe.config file - and sure enough, there is the password in plain day light. That is a huge problem. I realy think in my app it is better to have a application username/password rather then windows authentication.
    >>
    >>If you know of a way i can secure that - that would be great!
    >
    >.Net has some built in bits for encrypting connection strings (or, indeed, any section of a config file).
    >Don't be deterred by the continual references to ASP.NET - the same thing can be used with Winforms. There's an example towards the end of this: http://msdn.microsoft.com/en-us/library/ms254494.aspx

    Just roughly looked through this web-page.

    If I understand this correctly, because it states that "The connection string can only be decrypted on the computer on which it was encrypted" I would do the following (rough outline):

  • Package my app without a password
  • at end user setup time either ask the user for a password (if attaching to an existing db), or have a hardcoded password in the app (.exe, should not be able to re-engeneer - I hope)
  • update the config file through the code you pointed out on that web-page
  • encrypt that section of the config file with the code you pointed out
    now, 2 more questions:
  • will the app automaticly decrypt as needed, or do i have to do this in my app (i havn't read through the whole article yet)
  • since this will be an app which will be installed on several computers, all connecting to the same db, I will have to find a sensible way to copy over the connection strings, or the user must do the same setup (selecting a database, password entering, etc) on every computer.

    any thoughts - am i way off with this?

    Thank for all your help!
    • Previous
    Reply
    Map
    View

    Click here to load this message in the networking platform