473,503 Members | 1,749 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

SECURITY: Best Practices for Handling Connection Strings

Hello,
I saw a brief blurb on this somewhere and am unable to recall where...

In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB connection strings?

I have typically used a single include file and even considered stuffing the
string in a document (XML or otherwise) outside of the root directory. I
know of and have used methods to store connection strings in the registry of
the server. My thinking is the optimal solution involves some form of
encryption and locating the string outside of the site itself.

What about storing the connection string in a database? -just seeing if you
were awake (-;

Links to articles or other such resources will be greatly appreciated.

--
Cheers!

Ryan N.
---------------------------------
Funny...this worked yesterday....
Jul 19 '05 #1
3 4614
i usually store my connection string in a application variable located in
the global.asa file.

ie

application("conn") = "yourconnectionstring"

the other thing i was just thinking about the other day was to include it in
a dll. havent tried it yet, but cant see why its not possible.

"Ryan N." <zh****@CANTHESPAMhotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hello,
I saw a brief blurb on this somewhere and am unable to recall where...

In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB connection strings?
I have typically used a single include file and even considered stuffing the string in a document (XML or otherwise) outside of the root directory. I
know of and have used methods to store connection strings in the registry of the server. My thinking is the optimal solution involves some form of
encryption and locating the string outside of the site itself.

What about storing the connection string in a database? -just seeing if you were awake (-;

Links to articles or other such resources will be greatly appreciated.

--
Cheers!

Ryan N.
---------------------------------
Funny...this worked yesterday....

Jul 19 '05 #2
Thanks for the response.

Some observations...

I can see some potential issues with keeping a connection string within a
compiled dll in that if the server configuration settings change the dll
will have to be rebuilt and redeployed.

Application variables are a viable option as long as there is only one
application within the site -or very few for that matter.

What other 'Best Practice' ideas are out there?

--
Cheers!

Ryan N.
---------------------------------
Funny...this worked yesterday....
"[ + 2 0 r p 3 ]" <ga**@tpg.com.au> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
i usually store my connection string in a application variable located in
the global.asa file.

ie

application("conn") = "yourconnectionstring"

the other thing i was just thinking about the other day was to include it in a dll. havent tried it yet, but cant see why its not possible.

"Ryan N." <zh****@CANTHESPAMhotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hello,
I saw a brief blurb on this somewhere and am unable to recall where...

In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB connection strings?

I have typically used a single include file and even considered stuffing

the
string in a document (XML or otherwise) outside of the root directory. I know of and have used methods to store connection strings in the

registry of
the server. My thinking is the optimal solution involves some form of
encryption and locating the string outside of the site itself.

What about storing the connection string in a database? -just seeing if

you
were awake (-;

Links to articles or other such resources will be greatly appreciated.

--
Cheers!

Ryan N.
---------------------------------
Funny...this worked yesterday....


Jul 19 '05 #3
"Ryan N." <zh****@CANTHESPAMhotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hello,
I saw a brief blurb on this somewhere and am unable to recall where...

In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB connection strings?
I have typically used a single include file and even considered stuffing the string in a document (XML or otherwise) outside of the root directory.

You could store it in a .asp file and then include that in your application.
There's no need to store it outside of the root directory because if someone
tries to access the file, it will be processed by the server. I would avoid
the XML approach though... less secure (if it was accessible via the web
somehow).

I
know of and have used methods to store connection strings in the registry of the server.

The problem with that is that if the server ever changes, your application
could stop working. That is, if the site is ever moved to a new server. In
addition, if your site is hosted, the chances of the host letting you add
something to the registry seem pretty slim to me. Plus, if I'm not
mistaken, registry access is slow, so it could affect performance.

My thinking is the optimal solution involves some form of
encryption and locating the string outside of the site itself.

Encryption? That could affect performance. I would avoid it if other
methods meet your needs.
Locating the string outside of the site itself? This adds some work, and I
would avoid it if other methods meet your needs.

My suggestion is to take an n-tier approach, puttting your data access
methods into a single ASP file, and including that file in the pages that
need database access. This file would include the connection string, and
would not need to be encrypted or stored in a folder outside of the web
site. The only way anyone will see the contents of the file would be if
they had direct access to the server, in which case there would be very
little you could do anyway.

Regards,
Peter Foti

Jul 19 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
4
7600
Another error handling question - best practice?
by: James Radke | last post by:
Hello, I am looking for guidance on best practices to incorporate effective and complete error handling in an application written in VB.NET. If I have the following function in a class module...
Visual Basic .NET
8
1551
Best Practices Class Exceptions
by: SStory | last post by:
When I right a class, I am wondering what are the best practices for error handling? Do I try..catch and trap the error and if so what do I do with it? Because most likely the class user will...
Visual Basic .NET
6
1620
Best Practices for implementing db conn's from asp.net business ob
by: Nate | last post by:
I am in a slight predicament trying to determine the most efficient and effective way to connect/disconnect from a database within a business object (c# dll). I'm also keeping in mind the concept...
C# / C Sharp
14
3480
Connection String in .config file - Security Concerns
by: WebMatrix | last post by:
Hello, I have developed a web application that connects to 2 different database servers. The connection strings with db username + password are stored in web.config file. After a code review,...
C# / C Sharp
3
9124
C# .NET to MS Access OLEDB - Security error
by: blue875 | last post by:
When I run this connection, I get a security error. String connectStr = @"Provider=Microsoft.Jet.OLEDB.4.0;" + @"User Id=USER; Password=PASS;" + @"Data Source=\\SERVER\DIRECTORY\Data.mdb;" +...
Microsoft Access / VBA
1
2500
Best book/article/tutorial on Exception Handling in multi tier Windows App
by: maciek | last post by:
Hi, I was wondering if anyone could suggest me a book/article/tutorial on Exception Handling in multi tier Windows Apps. What are the best practices/ways to implement EH in multi tier...
Visual Basic .NET
5
19017
Best way to handle datetimes for any culture?
by: Robert W. | last post by:
My app runs perfectly when run in Canada or the U.S. But others are experiencing problems. So I switched my computer to the UK culture and immediately saw a problem. This line was failing: ...
C# / C Sharp
2
4543
Best practices for deployment from dev to stage to production
by: dasomerville | last post by:
We have different settings for our development, stage and production environments. For example, our development environment connection strings point to development database instances, stage...
ASP / Active Server Pages
6
1847
Public ASP.NET app and SQL Server security - best practices?
by: Usenet User | last post by:
Platform: Win 2003 Server, ASP.NET 1.1, SQL Server 2000 or 2005 I need to create an ASP.NET app that is going to be published on an external web site. User authentication is Windows Integrated...
ASP.NET
0
7202
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
7280
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
1
6991
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
7460
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
5578
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
1
5014
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
3167
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The...
Networking - Hardware / Configuration
0
1512
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
C# / C Sharp
0
380
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us