Hello friends!
I am developing a desktop-based application, using a database connection(MySQL). I am developing it in .NET, but I put the question here, because in my opinion this question regards to all kinds of programming languages. The problem is that there is a small chance to need to connect to remote MySQL server, because of the needs of the application. I am storing some data in hidden objects at start-up.

My question is: If a cracker disassemblies my application and changes some things(for example create a query that extracts everything of DB), can he obtain the whole database structure and the data related to each table? And after he has succeed in his mission, can he drop everything?

I summarize - I will not just use localhost connections, remote connections should be used sometimes. I have all the types of queries inside the program and because of this can a hacker modify some of them or add his own.

P.S I forgot to say that I am encrypting the database password, but this is no security if the hacker uses my application as a executer of the queries.


I hope you have understood my question. I am looking for possible solutions of this problem as well as comments and opinions of others that have encountered this problem.

Best regards,
Penko Mitev
Bulgaria/(Italy until the end of August )

.NET applications are fairly easy to disassemble, so hiding connection details in your application is not any security . Any mysql user your application connects as should have very limited database permissions. Ideally I'd suggest making a separate program that runs on the mysql server or another server and acts as an API. Your desktop app sends requests to the server api, which then does any necessary mysql queries and returns whatever data the app is allowed to have and has requested. A simple SOAP server could handle it. If you do keep remote mysql details in your app, you'll need to work with the assumption that those connections are now public and all the data that mysql user has access to is public as well

How I am supposed to realize this server api? Should it be done with sockets or what? And actually, how can I secure this thing as he is able to disassemble my exe and use any of my integrated functions, change the query in one, execute it and save the data into a simple txt file?

Web service.

Write your client program and keep all the methods for data access in a single object, allowing nowhere else in the program to open or use a database connection, only those methods. When you have something working, take that class and create a web service out of it. Now the client just talks to the web service.

Keeping all data access and manipulation in a single manager object is a good practice, regardless of how you implement your program. For organization, you can make such a class the public element of a library and implement your data layer naturally within that. However, your UI shouldn't really have to worry about the business of the storage layer.

Hm, can you provide mi with an example of such a class and if you are so kind to write a web service example in several rows or a link to a good article will be appreciated.