473,574 Members | 2,617 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

SECURITY: Best Practices for Handling Connection Strings

Hello,
I saw a brief blurb on this somewhere and am unable to recall where...

In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB connection strings?

I have typically used a single include file and even considered stuffing the
string in a document (XML or otherwise) outside of the root directory. I
know of and have used methods to store connection strings in the registry of
the server. My thinking is the optimal solution involves some form of
encryption and locating the string outside of the site itself.

What about storing the connection string in a database? -just seeing if you
were awake (-;

Links to articles or other such resources will be greatly appreciated.

--
Cheers!

Ryan N.
---------------------------------
Funny...this worked yesterday....
Jul 19 '05 #1
3 4625
i usually store my connection string in a application variable located in
the global.asa file.

ie

application("co nn") = "yourconnection string"

the other thing i was just thinking about the other day was to include it in
a dll. havent tried it yet, but cant see why its not possible.

"Ryan N." <zh****@CANTHES PAMhotmail.com> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. ..
Hello,
I saw a brief blurb on this somewhere and am unable to recall where...

In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB connection strings?
I have typically used a single include file and even considered stuffing the string in a document (XML or otherwise) outside of the root directory. I
know of and have used methods to store connection strings in the registry of the server. My thinking is the optimal solution involves some form of
encryption and locating the string outside of the site itself.

What about storing the connection string in a database? -just seeing if you were awake (-;

Links to articles or other such resources will be greatly appreciated.

--
Cheers!

Ryan N.
---------------------------------
Funny...this worked yesterday....

Jul 19 '05 #2
Thanks for the response.

Some observations...

I can see some potential issues with keeping a connection string within a
compiled dll in that if the server configuration settings change the dll
will have to be rebuilt and redeployed.

Application variables are a viable option as long as there is only one
application within the site -or very few for that matter.

What other 'Best Practice' ideas are out there?

--
Cheers!

Ryan N.
---------------------------------
Funny...this worked yesterday....
"[ + 2 0 r p 3 ]" <ga**@tpg.com.a u> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. ..
i usually store my connection string in a application variable located in
the global.asa file.

ie

application("co nn") = "yourconnection string"

the other thing i was just thinking about the other day was to include it in a dll. havent tried it yet, but cant see why its not possible.

"Ryan N." <zh****@CANTHES PAMhotmail.com> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. ..
Hello,
I saw a brief blurb on this somewhere and am unable to recall where...

In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB connection strings?

I have typically used a single include file and even considered stuffing

the
string in a document (XML or otherwise) outside of the root directory. I know of and have used methods to store connection strings in the

registry of
the server. My thinking is the optimal solution involves some form of
encryption and locating the string outside of the site itself.

What about storing the connection string in a database? -just seeing if

you
were awake (-;

Links to articles or other such resources will be greatly appreciated.

--
Cheers!

Ryan N.
---------------------------------
Funny...this worked yesterday....


Jul 19 '05 #3
"Ryan N." <zh****@CANTHES PAMhotmail.com> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. ..
Hello,
I saw a brief blurb on this somewhere and am unable to recall where...

In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB connection strings?
I have typically used a single include file and even considered stuffing the string in a document (XML or otherwise) outside of the root directory.

You could store it in a .asp file and then include that in your application.
There's no need to store it outside of the root directory because if someone
tries to access the file, it will be processed by the server. I would avoid
the XML approach though... less secure (if it was accessible via the web
somehow).

I
know of and have used methods to store connection strings in the registry of the server.

The problem with that is that if the server ever changes, your application
could stop working. That is, if the site is ever moved to a new server. In
addition, if your site is hosted, the chances of the host letting you add
something to the registry seem pretty slim to me. Plus, if I'm not
mistaken, registry access is slow, so it could affect performance.

My thinking is the optimal solution involves some form of
encryption and locating the string outside of the site itself.

Encryption? That could affect performance. I would avoid it if other
methods meet your needs.
Locating the string outside of the site itself? This adds some work, and I
would avoid it if other methods meet your needs.

My suggestion is to take an n-tier approach, puttting your data access
methods into a single ASP file, and including that file in the pages that
need database access. This file would include the connection string, and
would not need to be encrypted or stored in a folder outside of the web
site. The only way anyone will see the contents of the file would be if
they had direct access to the server, in which case there would be very
little you could do anyway.

Regards,
Peter Foti

Jul 19 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
7603
by: James Radke | last post by:
Hello, I am looking for guidance on best practices to incorporate effective and complete error handling in an application written in VB.NET. If I have the following function in a class module (note that this class module represents the business layer of code NOT the gui layer): Public Function Test(ByVal Parm1 As Integer, ByVal Parm2 As...
8
1555
by: SStory | last post by:
When I right a class, I am wondering what are the best practices for error handling? Do I try..catch and trap the error and if so what do I do with it? Because most likely the class user will want to know the information in the exception.... That being the case do I just not catch it and let the user of the class catch it and get all the...
6
1628
by: Nate | last post by:
I am in a slight predicament trying to determine the most efficient and effective way to connect/disconnect from a database within a business object (c# dll). I'm also keeping in mind the concept of connecting late and disconnecting early. Background: - multi-tier application (code-behind uses properties and methods of the business...
14
3486
by: WebMatrix | last post by:
Hello, I have developed a web application that connects to 2 different database servers. The connection strings with db username + password are stored in web.config file. After a code review, one developer suggested that it's a security flaw; therefore connection strings should be kept somewhere else or encrypted. My argument is that...
3
9139
by: blue875 | last post by:
When I run this connection, I get a security error. String connectStr = @"Provider=Microsoft.Jet.OLEDB.4.0;" + @"User Id=USER; Password=PASS;" + @"Data Source=\\SERVER\DIRECTORY\Data.mdb;" + @"Jet OLEDB:System Database=\\SERVER\DIRECTORY\SYSTEM.mdw"; connection = new OleDbConnection(connectStr); connection.Open(); // <=== error!
1
2505
by: maciek | last post by:
Hi, I was wondering if anyone could suggest me a book/article/tutorial on Exception Handling in multi tier Windows Apps. What are the best practices/ways to implement EH in multi tier enviroment. I read some MS Best Practices articles on MSDN. It helped a little, but considering how unexperienced programmer I am, I think I'd need a good...
5
19026
by: Robert W. | last post by:
My app runs perfectly when run in Canada or the U.S. But others are experiencing problems. So I switched my computer to the UK culture and immediately saw a problem. This line was failing: Convert.ChangeType(newdate, propType, null); where propType = System.DateTime It would only fail for dates like this: May 18, 2006 = 5/18/2006 in...
2
4546
by: dasomerville | last post by:
We have different settings for our development, stage and production environments. For example, our development environment connection strings point to development database instances, stage connection strings point to stage database instances and so forth. Without having to maintain separate web.config files, what are the various...
6
1858
by: Usenet User | last post by:
Platform: Win 2003 Server, ASP.NET 1.1, SQL Server 2000 or 2005 I need to create an ASP.NET app that is going to be published on an external web site. User authentication is Windows Integrated (no forms authentication or anonymous access). The app will utilize a SQL database on the same server, and I was wondering how I should handle SQL...
0
7814
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
8075
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
8253
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
5632
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
5316
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3752
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3762
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
2253
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
0
1072
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.