how to convert the existing code which is in string to secure string RRS feed

  • Question

  • User-235541030 posted

    Hi Team how to convert the following code to secure string

    <div>string[] tokens = tokenSt.Split(',');</div> <div>int cPos = -1;</div> <div>int pPos = -1;</div> <div>string lConnString = connectionString.ToLower(CultureInfo.CurrentCulture);</div> <div> </div> <div>foreach (string token in Tokens)</div> <div>{</div> <div>    cPos = lConnString .IndexOf(token);</div> <div> </div> <div>    if (cPos > pPos)</div> <div>    {</div> <div>        tokenPos = cPos;</div> <div>        tokenMPos = cPos + token.ToString().Length ;</div> <div>        pPos = cPos;</div> <div>    }</div> <div>}</div> <div>as suggested by the team it should be written using secure string and how to convert the above strings to secure strings</div> <div>please help </div>

    Friday, May 10, 2019 12:53 PM

All replies

  • User765422875 posted

    You want to do something like this:

    var secureString = new SecureString();

    tokens.ToCharArray().ToList().ForEach(p => secureString.AppendChar(p));

    Friday, May 10, 2019 5:06 PM
  • User-235541030 posted

    Hi deepal,

    thank you for your response need cove to avoid Privacy Violation: Heap Inspection because the values stored in string but the team suggested to use only secure strings instead of strings 

    string[] tokens = tokenSt.Split(',');
    int cPos = -1;
    int pPos = -1;
    string lConnString = connectionString.ToLower(CultureInfo.CurrentCulture);
    foreach (string token in Tokens)
    cPos = lConnString .IndexOf(token);
    if (cPos > pPos) { tokenPos = cPos;

    tokenMPos = cPos + token.ToString().Length ;

    pPos = cPos; }


    above need to convert in to string form and also the code using some index values to find the position. so please let me know how to convert the entire code without impacting actual functionality.


    Sunday, May 12, 2019 12:40 PM
  • User-893317190 posted

    Hi srinisrinivas,

    Asp.net has Utility class to convert js and html code to secure string .

    You could use HttpUtility or WebUtility.

     string securestring = HttpUtility.JavaScriptStringEncode("<div>content</div><script>alert('hello this is inscure string ')</script>");
             string html = WebUtility.HtmlEncode("<div>content</div><script>alert('hello this is inscure string ')</script>");

    The result.

    Best regards,

    Ackerly Xu

    Monday, May 13, 2019 3:09 AM
  • User303363814 posted

    You don't say which strings you want to be SecureStrings.

    The input to your code seems to be a string called tokens, whoever gives you that string needs to give you a SecureString otherwise you are wasting your time.

    Or are you concerned about connectionString?  Whoever passes that to you needs to make it s SecureString otherwise you are wasting your time.

    Are you aware of the IMPORTANT note in the Microsoft documentation for SecureString which recommends that you not use SecureString? See the highlighted information immediately under the 'Remarks' heading at https://docs.microsoft.com/en-us/dotnet/api/system.security.securestring?view=netframework-4.8

    What are you really trying to achieve?

    Monday, May 13, 2019 3:39 AM
  • User-235541030 posted

    Hi Paul,

    Thanks for your reply would like to convert the above code using secure string let me know how to convert the entire code


    Monday, May 13, 2019 10:30 AM
  • User753101303 posted


    Seems to have been shown already. What is the exact problem that remains ? The big picture could help.

    As pointed by PaulTheSmith another option is to get rid of any sensitive information. For a db connection string a common approach is to  to use Windows authentication which allows to connect using the account under which your app runs allowing to get rid of any password in the connection string.

    Not sure which kind of "connectionString" it is though ?

    Monday, May 13, 2019 10:47 AM
  • User303363814 posted

    The recommendation is to not use SecureString.  Your code is not being passed any instances of SecureString.  Altering the code is a complete and utter waste of time. No improvement in security will be obtained.  All that happens is that you will do work for no reason.

    What are you really trying to do???

    Tuesday, May 14, 2019 9:17 AM