none
Connection vulnerablities with winform connecting to SQL Server 2008 hosted on remote server RRS feed

  • Question

  • I have a windows application developed in Dotnet 3.5 (C#) and it is connecting to a SQL Server 2008 database server hosted on another machine. The winform application using sql server ConnectionString to connect remote SQL Server over a internet connection and it working fine.

    I am using C# and Dotnet SqlConnection, SqlCommand objects to connect database, run queries and fetch results.

    Is this secure? is there a utility (like fiddler) which can capture/sniff-in the connection established between my winform application and database server and capture queries and data?

    Please let me know

    • Are there any tools to capture communication between winform and SQL server (using .Net SqlCommand or SqlConnection objects)
    • Is there any better way to handle client to server connection in-terms of security and performance.

    Thanks in advance.

    EDIT: Since my and the scenario explained in this stackoverflow post are same and has not received any confirmed answer, including reference here for others to easily follow both.


    Blog: www.PavanGayakwad.blogspot.com Website: www.SrushtiSoft.com


    • Edited by PavanGayakwad Wednesday, December 12, 2012 7:52 PM Including additional reference.
    Wednesday, December 12, 2012 4:01 PM

All replies

  • Hi,

    If you want to encrypt connection string in your app, you may refer to this thread, http://stackoverflow.com/questions/2160515/encrypt-sql-connectionstring-c-sharp

    However, for the security of the data sending between the DB server and your app, it should be another topic about network security.  What we should do is to raise the security of the DB server and your client system to avoid any malicious attack.

    Good day!


    Michael Sun [MSFT]
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, December 14, 2012 8:21 AM
    Moderator
  • If you are operating in a domain based environment then I would recommend using a trusted connection (integrated security). When using this method, no user credentials are passed to SQL Server. Authentication occurs transparently by way of the network credentials and associated user logon in SQL Server.

    I don't think I would be concerned with data being captured over an internal connection. That is, unless your system is vulnerable to malware (which is a separate issue really).

    AFAIK, Fiddler is a web debugging proxy so it wouldn't be applicable in your scenario. Are there other utilities that can capture network activity? Absolutely. One of them is Wireshark.


    Paul ~~~~ Microsoft MVP (Visual Basic)

    Monday, December 17, 2012 3:51 PM