If I have a simple CRUD app executable in .NET, what prevents a user from loading it into RedGate Reflector and viewing all the contents, including db connection strings, passwords, etc?
Can I protect against this in any way?
| CARVIEW |
Select Language
HTTP/2 200
date: Wed, 30 Jul 2025 05:53:48 GMT
content-type: text/html; charset=utf-8
cf-ray: 96729902dce1c462-BLR
cf-cache-status: DYNAMIC
cache-control: private
set-cookie: prov=076d9481-577d-4ea2-9fec-142e3176bc26; expires=Thu, 30 Jul 2026 05:53:48 GMT; domain=.stackoverflow.com; path=/; secure; httponly
strict-transport-security: max-age=31536000; includeSubDomains
vary: Accept-Encoding
content-security-policy: upgrade-insecure-requests; frame-ancestors 'self' https://stackexchange.com
feature-policy: microphone 'none'; speaker 'none'
x-clacks-overhead: GNU Terry Pratchett
x-frame-options: SAMEORIGIN
x-request-guid: 174a93ed-4c98-4d42-91e6-cbaafe28e079
x-worker-origin-response-time: 280000000
x-dns-prefetch-control: off
set-cookie: __cflb=02DiuFA7zZL3enAQJD3AX8ZzvyzLcaG7w2a8N8uUBnqUY; SameSite=Lax; path=/; expires=Thu, 31-Jul-25 04:53:48 GMT; HttpOnly
set-cookie: prov=076d9481-577d-4ea2-9fec-142e3176bc26; Path=/; HttpOnly; Domain=stackoverflow.com
set-cookie: __cf_bm=8GJQdT.gazTfBUCgzrMzSWEhc4_6PUyTgv0rcfwaPJw-1753854828-1.0.1.1-RqqkqOnI6WEstsOVk5gzaTKZdM_VZDggbeTRQDwCOxf5qko2Z6JYCj3u2lbRCRB4Cno2FDNqNV18yuL4lTPkBIflX9SUWWMJESm2vPMMiwI; path=/; expires=Wed, 30-Jul-25 06:23:48 GMT; domain=.stackoverflow.com; HttpOnly; Secure; SameSite=None
set-cookie: _cfuvid=bmZLXxt7qffVdJA5JxeRQcT8ay1Q38nDSTIxDRo2siM-1753854828277-0.0.1.1-604800000; path=/; domain=.stackoverflow.com; HttpOnly; Secure; SameSite=None
server: cloudflare
content-encoding: gzip
c# - How can I hide the details within my .NET executable? - Stack Overflow
Skip to main content
Stack Overflow
1
- Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
- Advertising Reach devs & technologists worldwide about your product, service or employer brand
- Knowledge Solutions Data licensing offering for businesses to build and improve AI tools and models
- Labs The future of collective knowledge sharing
- About the company Visit the blog
The 2025 Developer Survey results are in. Explore insights into technology and tools, careers, community and more.
View results.
Collectives™ on Stack Overflow
Find centralized, trusted content and collaborate around the technologies you use most.
Learn more about CollectivesTeams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
7
-
5Storing connection strings and passwords in an executable is asking for trouble.– Ron WarholicCommented Aug 25, 2009 at 17:17
-
This question has been asked over and over again on SO. Please search for obfuscation.– Brian RasmussenCommented Aug 25, 2009 at 17:17
-
1Rewrite you app in C++ and reflector won't be able to load it. ;)– P.KCommented Aug 25, 2009 at 17:22
-
Sid, is it asking for trouble in general, or with regard to .NET executables only?– DavidCommented Aug 25, 2009 at 17:26
-
1You need to redesign so that all this information is NOT in the executable PERIOD. C++ doesn't protect you, any idiot with a hex editor can view your strings just fine through that. Look at stored procedures, web services, or any sort of good remote authentication scheme to do this right.– Ron WarholicCommented Aug 25, 2009 at 17:29
|
Show 2 more comments
7 Answers 7
No, the best you can do is obfuscate the assembly to make it harder to read and understand but other than that there is not way to stop someone from using Reflector or ILDASM to view the IL in your assembly.
Remember that the CLR needs to be able to read this assembly as well so if the CLR can read the assembly, so can anyone else.
answered Aug 25, 2009 at 17:16
Obfuscation is never the right answer. Maybe you're going about this the wrong way.
There are several ways I can think of so that the connection string is either not available or not important.
You could put your database behind a web service so that the connection string to the database would only be known to the web service. Of course, you'd need another way to restrict access to the web service, such as using login credentials.
Or, you could give each user their own SQL login name/password. That way, they would know their own userid/password but it would be easy to "turn it off" from the database. This also gives you much better control over each person's access to the database itself... like what tables/views they have access to, and what type of access.
answered Aug 25, 2009 at 17:24
You can make it hard to do so (obfuscation, string encryption, etc.) but it will never be impossible to reverse-engineer as long as the user has access to the executable.
answered Aug 25, 2009 at 17:16
including db connection strings, passwords
Define security in the database engine: limit users, limit machines from which users can connect, limit what users can do, and/or specify that users may interact with the database only via defined "stored procedures".
answered Aug 25, 2009 at 17:22
It depends what you want to protect.
If it's DB connection string with passwords, then don't store them, Example: set up IIS App Pool to run a limited service account to connect to the database and the trusted security. Assuming decent database security, knowledge of servername etc is useless.
You can put your passwords and connection strings in an hashtable or xml then encrypt your data, make an zip file with a password hidden in text file hidden with stenography behind an image. All your unzip and reading make in memory after making a read make a release, flush of memory, call the collector, after using your connection strings and fill clean your variables. Keep only the data you need in memory, be careful in using ram.
-
Nice ideas. Next time you answer try setting out your answer to make it a bit easier to read. Commented Jun 24, 2011 at 8:20
Obfuscation would be an option. But I guess you cannot hide e.g. password strings completely. That's really unsafe.
- The Overflow Blog
-
-
- Featured on Meta
-
-
-
-
-
-
Related
Hot Network Questions
- An SF novel where a very young child escapes being murdered by hiding in the water tank of a toilet
- Is a normality test always performed on errors and not on raw data?
- On Joyal's definition of a category of plane trees
- I have a table that is being forced over the right margin how do I force the table to evenly break both margins?
- When using Da Capo, does that normally include a pick up?
- If Satan is not omnipresent, how can he tempt or test multiple people at the same time in different places?
- Modification of proof environment is nullified by babel
- Can ffmpeg record screen on wayland?
- Seven-dimensional cross product
- Has the similarity between diagrams of the expanding universe and of vapour pressure in mixtures been noted by others? Is this just coincidence?
- How to identify process' serving 127.0.0.53:53 and 127.0.0.54:53?
- Help distinguishing between statistics in Mixed Model output table
- Visa Free Transit Facility (VFTF): Indian passport but resident in Saudi Arabia
- Electrician ran neutral and ground to the same bar, and is telling me it's common practice. Pictures show my main and sub. Is he right?
- How to speed up this NIntegrate which is calculated many times?
- VMWare, SAN, SSD, Influence of the fill level on the performance of a virtual hard disk
- Can Trump sue South Park?
- Finite projective plane with trivial automorphism group
- How to test whether a secondary inet address exists on an eth interface?
- Why f[x___] := {x==="To be", x=!="not to be"} is both True for f[]?
- What are the consequences of allowing breaking/returning from every statement?
- The root neighborhood representation
- Looking for a piece of writing that describes the head of Michelangelo's David floating in space
- Can I combine 2 car reservations on adjacent dates with Hertz?
lang-cs