I am developing a Winforms application compiled for the .NET 4 framework. The application accesses SQL Server using typed Datasets and an encrypted connection string.
Out of curiosity, I open the executable file in a binary editor and noticed that I was able to view the SQL queries from the datasets as plain text. I am concerned that this opens up a security issue – for example, someone changes “select * from mytable” to “delete from mytable”.
What is the best way of preventing this? The general consensus on obfuscation seems to be “don’t bother”, but surely this is a security nightmare just waiting to happen? Are there any best practices or tools that anyone can recommend?
I guess to store SQL as strings is never a good way to deal with DBs but this is a out-of-topic sentence. A malicious user anyway can’t really change your code because a .NET assembly should be signed (and then not modifiable). I guess that was just an example (why they should change a create table to a delete table?). This isn’t true for a native application (or for SQL code that comes from other unverified locations. If everything you can do to save your database has been done on the…DB side then you can start to protect your program. If you really can’t avoid to inject pure plain SQL in your code you have to sign your assemblies. If you need to “hide” that SQL you may think to put it in an encrypted text resource file (but I do not think this is your case).