Secure way way to perform SQL query in C# class library?

Question

0.00/5 (No votes)

See more:

Hello everyone I'm developing nuget package as a side project, with the package the user will be able to retrieve data from my MySQL database server by executing a function that contains SQL query in it let's call it `GetStuff()`.

Example of the GetStuff code:

public class GetStuff : IDisposable {

      public string? name;


      public void Dispose() {
          //throw new NotImplementedException();
      }

      public GetStuff() {

              Console.WriteLine("Connecting to Server...");

              ConnectionGetter.con.Open();

              String _select = "SELECT stuff FROM information;";
              ConnectionGetter.command = new MySqlCommand(_select, ConnectionGetter.con);

              MySqlDataReader _read = ConnectionGetter.command.ExecuteReader();
              while (_read.Read()) {
                  name = _read.GetString(0);
              }
              _read.Close();
      }

Example usage:

String myUsername = "";
     using(GetStuff gs = new GetStuff()) {
         myUsername = gs.name;
     }

ConnectionGetter class will retrieve connection string from App.Config:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using MySql.Data.MySqlClient;

namespace officialAPIFS {
    public class ConnectionGetter {
        private static string access = System.Configuration.ConfigurationManager.ConnectionStrings["CONNECTIONSETUP"].ConnectionString;
        public static MySqlConnection con = new MySqlConnection(access);
        public static MySqlCommand command;
    }
}

And the main problem is that the SQL query is exposed when you're using intellisense and I want to avoid my table, column, or anything that's related to the SQL query from the function from getting exposed to the user, am I doing this wrong? what are the safer way to do this so the user cannot see the SQL query code behind the function?

What I have tried:

I'm completely lost and google shows irrelevant results.

Posted 3-Mar-23 9:15am

Dan Sep2022

Updated 3-Mar-23 9:30am

Add a Solution

Comments

Maciej Los 3-Mar-23 17:17pm

If you want to hide your sql query, would suggest to store that query in encrypted file. That file should be the part of NuGet package.

PIEBALDconsult 4-Mar-23 10:35am

Trying to hide it is generally not worth the effort. Can't the developer simply connect to the database and query the meta data?
I haven't used MySql for a while, but surely you can define a view which the code would access?
In SQL Server I might use a Table-Valued Function.

Or, simulate your own stored procedure technique by making a table which contains the actual SQL statement and provides an alias?

However, I recommend not bothering.

Dan Sep2022 4-Mar-23 10:38am

`However, I recommend not bothering` So I don't have to bother hiding the SQL query? If so then why is that? How about the vulnerability?

PIEBALDconsult 4-Mar-23 18:21pm

There is no vulnerability. Either the person using your code has access to the whole database or he has none. Trying to hide the particular query is useless when he can simply access everything but that.
Maybe you haven't properly described the situation. Or someone hasn't properly explained to you what to "protect", or you misunderstood what was said.
If you want to "protect" your database, about all you can do is put it behind a Web Service or similar. But that's not what I thin you are going for.
From what I can tell from your question (unless I misunderstood it), a developer has a copy of your database and a copy of your code, and you are trying to keep him from seeing the SQL, even though they have a copy of the database they can fully explore anyway. If this is not the case, then you need to add detail to your question.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

RickZeeland · Answer 1 · 2023-03-03T09:30:00

Solution 1

Maybe you can encrypt the connection string as show in this example:
Encryption Decryption Connection String for the App.Config File[^]

Posted 3-Mar-23 9:30am

RickZeeland