Hi i'm currently creating a game using c# xna and will be allowing users to have some sort of profile system. So they can create account, sign-in view profile, achievements etc.
While I am testing this I am using a local instance of SQL Server Express. In testing this is fine, however when creating the finished product is it ok to simply change the connection strings to connect to a remote publicly accessible SQL server or would this have security implications.
Could someone for example be able to find out the user-name / password for the SQL server through the program and then connect manually and wreak havoc?
Should I instead be looking to connect to a server side application which queries the database on behalf of my client side program to prevent the client side directly accessing my database or is this an unnecessary abstraction?
Due to security concerns connecting to a server side application would be best instead of having the program directly connect to the database.
First, putting a SQL Server out open on the public Internet is generally considered poor security as there have been a number of remote exploits for it.
Second, in general it is difficult or not feasible to limit database access for each user. Creating individual database accounts is typically not practical so a single account is used for all users to connect to the database. This single account needs a lot of access to the database to perform the necessary functions which means it can also be used to execute arbitrary malicious queries against the database. One gentle possibility is UPDATE highscores SET score = 1000000000 WHERE user_id = <my user id>. I have seen a few school administration systems implemented by using the default database admin username and password for all users and which was sent in plaintext over the network. These were not public facing which made it only slightly better.
Some additional questions related to this are:
- connect sql server 2005/2008 over internet
- Client Access to SQL Server over the Internet
How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console
Connection string (sql server 2012):
Provider=SQLNCLI11;Server=myServerAddress;Database=myDataBase;Trusted_Connection=yes;
Encrypt=yes;
Connection string (sql server 2008):
Provider=SQLNCLI10;Server=myServerAddress;Database=myDataBase;Trusted_Connection=yes;
Encrypt=yes;
