Susurrus
asked on
What is the most secure way to make queries to a remote mysql database from a c# application
Hi there! I am a bit of a newbie connecting to databases over the internet, so I hope someone can give me with some clear guidence on how to move ahead:
I want to be able to query a remote mySQL database from my C# Application. The mySQL database is located on server that has SSL enabled.I have managed to make a connection using mysql connector .net 5, but of course this is completly insecure.
My application could conceivably be running on a large number of machines (i.e. 50>), so my solution will have to take into account multiple users from changing locations.
Is connecting to a remote mySQL database from c# with ssl possible and secure enough? Is it enough to send requests via https, or is this only for browser based apps?
I want to be able to query a remote mySQL database from my C# Application. The mySQL database is located on server that has SSL enabled.I have managed to make a connection using mysql connector .net 5, but of course this is completly insecure.
My application could conceivably be running on a large number of machines (i.e. 50>), so my solution will have to take into account multiple users from changing locations.
Is connecting to a remote mySQL database from c# with ssl possible and secure enough? Is it enough to send requests via https, or is this only for browser based apps?
ssl is decent encryption, but ideally you don't want a database "listener" open to the internet where an attacker could try and brute force the login. Sending HTTPS requests to a component on a webserver (which then communicates with the database as an agent) is much more secure, and easier to force authentication on.
ASKER
This sounds sensible, but if use an intermediate componet, how could I then return the result to my Application? (My application queries the database in order to get a varification code in return
any serverside component can accept data (a POST for example) from your application, and return data in the reply. ideally, the post should contain both a challenge string that both authenticates the application to the server and colours the reply (so the returned code should be identifiable as such by your application to guard against someone "spoofing" the remote server)
as an example of how *not* to do it - one company issues one-shot keys; you download an installer, enter the key into it, and it contacts a webserver to hand off the key. the first time it sees a given key it replies "yes"; if the key is wrong or repeated, it replies "no". Based on that reply, the installer will either install the software, or prompt for another key....
a successful attack is to simply set up a webserver with the same name as the company uses, and place on it an index.htm file that contains the single word "yes" :)
as an example of how *not* to do it - one company issues one-shot keys; you download an installer, enter the key into it, and it contacts a webserver to hand off the key. the first time it sees a given key it replies "yes"; if the key is wrong or repeated, it replies "no". Based on that reply, the installer will either install the software, or prompt for another key....
a successful attack is to simply set up a webserver with the same name as the company uses, and place on it an index.htm file that contains the single word "yes" :)
ASKER
I see, that sounds exactly what I want. So have I got the process correct:
My application sends the key to the serverside component via POST,
the component consults the database and returns the varification code in the reply, along with a second authenticating password to prove the servers identity?
My application sends the key to the serverside component via POST,
the component consults the database and returns the varification code in the reply, along with a second authenticating password to prove the servers identity?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks very much, this has really saved both my time and my sanity!
http://www.wireshark.org is a good/free/easy one. There are others.