I have created an Excel 2007 add-in using Visual Studio 2008 and built-in project template. In my project, I have a database connection class that connects to an Oracle database with a connection string, such as:
string connectionString = "Data Source=ibd1.dev;User Id=xxx;Password=xxx;";
My question is, how safe is this after the add-in is deployed. Is it possible for an end user (or mischievous hacker) to decompile the add-in and see the connection string? I can’t risk that if it is possible.
I should mention how it is deployed. I am using the “Publish” function in Visual Studio to put the installation files out on a shared network drive that anyone inside the company can access. The resulting directory has a setup.exe, a VSTO file, and a couple sub directories with DLL’s and MANIFEST files. I don’t have much experience with deployment since I am typically a web app developer.
Any advice would be appreciated.
Yes. Tools like Reflector, dotPeek, etc make that trivial.
I probably wouldn’t connect directly to a database from a VSTO Add In. Instead, I would call a web service (which talks to the DB), and the user would need to authenticate to the web service, either with a username and password, Windows Integrated Authentication, etc.