Avatar of Susurrus
Susurrus asked on

What is the most secure way to make queries to a remote mysql database from a c# application

Hi there!  I am a bit of a newbie connecting to databases over the internet, so I hope someone can give me with some clear guidence on how to move ahead:

I want to be able to query a remote mySQL database from my C# Application.  The mySQL database is located on server that has SSL enabled.I  have managed to make a connection using mysql connector .net 5, but of course this is completly insecure.

My application could conceivably be running on a large number of machines (i.e. 50>), so my solution will have to take into account multiple users from changing locations.

Is connecting to a remote mySQL database from c# with ssl possible  and secure enough? Is it enough to send requests via https, or is this only for browser based apps?

SecuritySSL / HTTPSMySQL Server

Avatar of undefined
Last Comment
Susurrus

8/22/2022 - Mon
rcastle

HTTPS encrypts the data stream quite securely. Put a sniffer on the line to verify.

http://www.wireshark.org is a good/free/easy one. There are others.

Dave Howe

ssl is decent encryption, but ideally you don't want a database "listener" open to the internet where an attacker could try and brute force the login. Sending HTTPS requests to a component on a webserver (which then communicates with the database as an agent) is much more secure, and easier to force authentication on.
ASKER
Susurrus

This sounds sensible, but if use an intermediate componet, how could I then return the result to my Application? (My application queries the database in order to get a varification code in return
Your help has saved me hundreds of hours of internet surfing.
fblack61
Dave Howe

any serverside component can accept data (a POST for example) from your application, and return data in the reply. ideally, the post should contain both a challenge string that both authenticates the application to the server and colours the reply (so the returned code should be identifiable as such by your application to guard against someone "spoofing" the remote server)

as an example of how *not* to do it - one company issues one-shot keys; you download an installer, enter the key into it, and it contacts a webserver to hand off the key. the first time it sees a given key it replies "yes"; if the key is wrong or repeated, it replies "no". Based on that reply, the installer will either install the software, or prompt for another key....

a successful attack is to simply set up a webserver with the same name as the company uses, and place on it an index.htm file that contains the single word "yes" :)
ASKER
Susurrus

I see, that sounds exactly what I want.  So have I got the process correct:

My application sends the key  to the serverside component via POST,
the component consults the database and returns the varification code in the reply, along with a second authenticating password to prove the servers identity?
ASKER CERTIFIED SOLUTION
Dave Howe

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Susurrus

Thanks very much, this has really saved both my time and my sanity!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.