"Ryan N." <zh****@CANTHESPAMhotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hello,
I saw a brief blurb on this somewhere and am unable to recall where...
In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB connection
strings?
I have typically used a single include file and even considered stuffing
the string in a document (XML or otherwise) outside of the root directory.
You could store it in a .asp file and then include that in your application.
There's no need to store it outside of the root directory because if someone
tries to access the file, it will be processed by the server. I would avoid
the XML approach though... less secure (if it was accessible via the web
somehow).
I
know of and have used methods to store connection strings in the registry
of the server.
The problem with that is that if the server ever changes, your application
could stop working. That is, if the site is ever moved to a new server. In
addition, if your site is hosted, the chances of the host letting you add
something to the registry seem pretty slim to me. Plus, if I'm not
mistaken, registry access is slow, so it could affect performance.
My thinking is the optimal solution involves some form of
encryption and locating the string outside of the site itself.
Encryption? That could affect performance. I would avoid it if other
methods meet your needs.
Locating the string outside of the site itself? This adds some work, and I
would avoid it if other methods meet your needs.
My suggestion is to take an n-tier approach, puttting your data access
methods into a single ASP file, and including that file in the pages that
need database access. This file would include the connection string, and
would not need to be encrypted or stored in a folder outside of the web
site. The only way anyone will see the contents of the file would be if
they had direct access to the server, in which case there would be very
little you could do anyway.
Regards,
Peter Foti