Is the C# language recommended to be distributed online with a database?

Asked

Viewed 385 times

11

It is very easy to get the entire code of a C# program using . NET Reflector.

Would it be possible for me to put the same security in a C# program a program made in C++? I found that answer no Stack Overflow in English but even in the comment says that it is still possible to obtain the code of the program.

I don’t think it’s cool for anyone to see my code, I’m not saying that C++ is totally safe or anything, I confess I don’t know much about it. But for everything I looked up, C++ would not be possible to get all the code as is possible in C#.

But the question is about C# and not C++. I really like C# and wanted to know if I can really trust using a database password in c# just by using one of the programs to "hide the code" from . NET Reflector. If not, C++ would be a good option?

1 answer

16


The problem of security is in the programmer and not in the language. When using the wrong technique you will get the wrong solution.

Executable safety

In any language you can pick up passwords inserted inside your executable. The solution is simple: don’t do this!

C++ produces native executables, so machine code, but that doesn’t mean passwords are protected, on the contrary. Not even the code is protected. A disassemble can remake the code in Assembly. There are decompilers that can also produce C/C++ code from an executable. The results are not good, but it is possible.

C# decompilation allows you to generate better codes, but they are still not perfect. And you can generate native code with C#, it existed before with Ngen and now has more facilities with the .NET Native (obsolete).

Don’t worry too much about the fact that the code can be more easily decompiled, and in a specific circumstance (this is not even related to the language itself, but rather how it is implemented, which is a transient feature). It causes fewer problems than it seems, actually never seen cause a problem in fact.

Protect passwords

First try not to put a password in the executable or send it to a file. Are you sure it’s necessary? Is there no other way to do this? Get creative!

If you need a password, why not leave it in the hands of the user? It is not a better solution to let the user create a password for it (or you create in any way) and access be done with it by typing the password?

Has techniques to not need to put the password in the solution.

If you really have no other way and have to put the password of the database together with the application there is no reason to put inside the executable. Put it in an auxiliary file. There’s even a . NET pattern to do this. And do it in an encrypted way, obviously. This protects the password, not 100%, but protects.

You’ve already searched the O.R., search for the right reason. See that the .NET already thought about it and has solution ready.

For this problem it makes no difference to use C++ or C#. In fact you are likely to find fewer ready-made solutions in C++ than in C#.

You can ask specific questions about the subject or other things, but be careful because your idea of security is far from reality. Don’t believe anything without having information to confirm this unequivocally. That’s why we’re here.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.