Hi,

I'm working on a program that interacts with the MySQL database of a website.

I have a class for the Database in C# which manages the connection and closing etc. It also stores a constant for the connection string similar to the following example:


private const string CONN_STRING = "SERVER=someServer;" +
"DATABASE=someDatabase;" +
"UID=someUser;" +
"PASSWORD=somePassword;";

// connect
private MySqlConnection connection = new MySqlConnection(CONN_STRING);


A recent concern I've had is whether someone could reverse engineer the program, get the access details and then perhaps get access to the database and do some severe damage.

If this is a possible hole, is there anyway to protect these details?

Thanks in advance.

Does your program only read information from the database?

The current plan for the program is that it will read from and write to the database however there is an alternate solution that would allow for it to be read only.

Basically the program will validate a users login against the database initially. Then it will notify the user of any new messages from the database and allow them to view them. Both examples of read only.

The program was then meant to allow the user to respond to the messages which is basically the only example of where a write operation is needed.

Other possibilities could be considered though if it made security easier; such as a web browser control to respond.

Well you can add security on your MySQL server to help minimize the danger. You can create a special purpose user account that can only access that one database. Then you can allow only select access for the overall database. MySQL also allows table specific permissions which would mean you can make that account only have insert capabilities on that one table.

That way the only table that could potentially be compromised is your messages table. But even if they figured out the username and password, they wouldn't for example be able to modify your users table.

The problem is with the current host, I don't have the rights to create new users or give them different access rights.

The problem is with the current host, I don't have the rights to create new users or give them different access rights.

Your host doesn't let you create your own users for MySQL? Do they let you even connect to your MySQL database from the Internet?

Nope and that's been the case for pretty much any non-dedicated host I have worked with in the past 5 years.

Nope and that's been the case for pretty much any non-dedicated host I have worked with in the past 5 years.

If they don't even let you connect to your MySQL server from the Internet, how is your program going to connect to it?

Protecting the system on the server side is the only real way to ensure some security since the user/client side is out of your control.

I ignored the utterly preposterous second have of your previous comment but thanks for your help anyway.