StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>In your case there are two main attack possibilities:</p> <ul> <li>Steal the connection string and then access the database directly</li> <li>Call methods in your C# code directly without using the UI</li> </ul> <p>For the connection string you need to store it in an encrypted form in a config file. Problem is that there need to be enough information in the winforms app so that it can decrypt and use it.</p> <p>For accessing the code directly you can use code access security and obfuscation.</p> <p>In your case I would not give the windows app direct access to the database. Let the windows app call a WCF service, the the WCF service would access the database.</p> <p>The user's user account is allowed to call the WCF service, the WCF service is running under an account that is allowed to access the database, the user's user account has no rights to the database.</p> <p>Windows App with 3 Layers:</p> <ul> <li>UI </li> <li>Business (Security check what UI should be shown to the user)</li> <li>Proxy</li> </ul> <p>WCF Service with 2 Layers:</p> <ul> <li>Facade / Business Layer (Security check is user allowed to call this method with this data)</li> <li>Entity Framework datamodel</li> </ul> <p>Common dll's to both Layers</p> <ul> <li>Contracts / WCF Interfaces</li> <li>Data Transfer Objects</li> </ul> <p>For info on proxy, contracts and DTO's see this video:</p> <p><a href="http://www.dnrtv.com/default.aspx?showNum=103" rel="noreferrer">http://www.dnrtv.com/default.aspx?showNum=103</a></p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload