>>>>Hello Everybody.
>>>>
>>>>I have designed an application which is already fully functional on my system. I want to adjust it now to be able to make it a shrink wrap app.
>>>>
>>>>Currently that app is connecting to my MS SQL 2005 database. For it to be a shrink wrap the database connection should be flexible. Maybe the end customer already has SQL (any version) installed or maybe my app needs to install a light sql version, such as sql express or so.
>>>>
>>>>For this process I have a few questions:
>>>>
>>>>
Which light weight sql do you recommend?
>>>>Do I just need to change the connection string to the different database (given the table and fields are the same)?
>>>>Where do I change the connection string in the code? Or rather, should I have instead of the connection string a function call which returns the connection string?
>>>>How about username/password security? In my case here I am connection to a database which also has our enterprise data. I don't know if the password is encrypted and/or hidden - can someone get to it? How do I ensure this is save?
>>>>Any other thoughts concern to bring me on the right track?
>>>>
>>>>Thank you for all your great help!
>>>
>>>If you want to play outside the MS sandbox then, obviously, switching connection strings isn't going to be enough.
>>>
>>>Switching between SQL2000/2005/2008 and SQL Express shouldn't be an issue but building an install process that allows users to, for example, select an existing SQL instance or install a dedicated SQL Express server in a user-friendly way is not trivial.
>>>
>>>As far a 'lightweight' goes - it depends on your app. If you can get by with CE then it greatly simplifies things. A 2Mb footprint instead of 200Mb. No installation beyond including a couple of .NET DLLs with your app. A few downsides though such as no support for SPROCs etc. Here's an (oldish) white paper comparing SQL Express to CE:http://download.microsoft.com/download/A/4/7/A47B7B0E-976D-4F49-B15D-F02ADE638EBE/Compact_Express_Comparison.doc
>>
>>
>>Hello Viv
>>
>>My plan is to stay with the MS sandbox.
>>
>>in regards to installing or/and selecting an existing db, i don't foresee too much problems. but we will see when i get to that. my concerns will be more on the installshield side (the free version) because i have not used it before and i am not sure where to do certain things. But I am sure you will hear from me when the time comes. :-)
>>
>>I think i can go with CE, because this is very simple data storage - no triggers, procedures, etc. - so i should be ok.
>>
>>I am very concerned about password security. Craig had mentioned the app.config file as the storage for the connection strings. So i checked that one and the final AppName.exe.config file - and sure enough, there is the password in plain day light. That is a huge problem. I realy think in my app it is better to have a application username/password rather then windows authentication.
>>
>>If you know of a way i can secure that - that would be great!
>
>.Net has some built in bits for encrypting connection strings (or, indeed, any section of a config file).
>Don't be deterred by the continual references to ASP.NET - the same thing can be used with Winforms. There's an example towards the end of this: http://msdn.microsoft.com/en-us/library/ms254494.aspx
Just roughly looked through this web-page.
If I understand this correctly, because it states that "The connection string can only be decrypted on the computer on which it was encrypted" I would do the following (rough outline):
Package my app without a password
at end user setup time either ask the user for a password (if attaching to an existing db), or have a hardcoded password in the app (.exe, should not be able to re-engeneer - I hope)
update the config file through the code you pointed out on that web-page
encrypt that section of the config file with the code you pointed out
now, 2 more questions:
will the app automaticly decrypt as needed, or do i have to do this in my app (i havn't read through the whole article yet)
since this will be an app which will be installed on several computers, all connecting to the same db, I will have to find a sensible way to copy over the connection strings, or the user must do the same setup (selecting a database, password entering, etc) on every computer.
any thoughts - am i way off with this?
Thank for all your help!