By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,200 Members | 1,584 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,200 IT Pros & Developers. It's quick & easy.

SECURITY: Best Practices for Handling Connection Strings

P: n/a
Hello,
I saw a brief blurb on this somewhere and am unable to recall where...

In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB connection strings?

I have typically used a single include file and even considered stuffing the
string in a document (XML or otherwise) outside of the root directory. I
know of and have used methods to store connection strings in the registry of
the server. My thinking is the optimal solution involves some form of
encryption and locating the string outside of the site itself.

What about storing the connection string in a database? -just seeing if you
were awake (-;

Links to articles or other such resources will be greatly appreciated.

--
Cheers!

Ryan N.
---------------------------------
Funny...this worked yesterday....
Jul 19 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
i usually store my connection string in a application variable located in
the global.asa file.

ie

application("conn") = "yourconnectionstring"

the other thing i was just thinking about the other day was to include it in
a dll. havent tried it yet, but cant see why its not possible.

"Ryan N." <zh****@CANTHESPAMhotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hello,
I saw a brief blurb on this somewhere and am unable to recall where...

In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB connection strings?
I have typically used a single include file and even considered stuffing the string in a document (XML or otherwise) outside of the root directory. I
know of and have used methods to store connection strings in the registry of the server. My thinking is the optimal solution involves some form of
encryption and locating the string outside of the site itself.

What about storing the connection string in a database? -just seeing if you were awake (-;

Links to articles or other such resources will be greatly appreciated.

--
Cheers!

Ryan N.
---------------------------------
Funny...this worked yesterday....

Jul 19 '05 #2

P: n/a
Thanks for the response.

Some observations...

I can see some potential issues with keeping a connection string within a
compiled dll in that if the server configuration settings change the dll
will have to be rebuilt and redeployed.

Application variables are a viable option as long as there is only one
application within the site -or very few for that matter.

What other 'Best Practice' ideas are out there?

--
Cheers!

Ryan N.
---------------------------------
Funny...this worked yesterday....
"[ + 2 0 r p 3 ]" <ga**@tpg.com.au> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
i usually store my connection string in a application variable located in
the global.asa file.

ie

application("conn") = "yourconnectionstring"

the other thing i was just thinking about the other day was to include it in a dll. havent tried it yet, but cant see why its not possible.

"Ryan N." <zh****@CANTHESPAMhotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hello,
I saw a brief blurb on this somewhere and am unable to recall where...

In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB connection strings?

I have typically used a single include file and even considered stuffing

the
string in a document (XML or otherwise) outside of the root directory. I know of and have used methods to store connection strings in the

registry of
the server. My thinking is the optimal solution involves some form of
encryption and locating the string outside of the site itself.

What about storing the connection string in a database? -just seeing if

you
were awake (-;

Links to articles or other such resources will be greatly appreciated.

--
Cheers!

Ryan N.
---------------------------------
Funny...this worked yesterday....


Jul 19 '05 #3

P: n/a
"Ryan N." <zh****@CANTHESPAMhotmail.com> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hello,
I saw a brief blurb on this somewhere and am unable to recall where...

In the context of Security, what are some best practices for
handling -storing, locating, retrieving- database OLEDB connection strings?
I have typically used a single include file and even considered stuffing the string in a document (XML or otherwise) outside of the root directory.

You could store it in a .asp file and then include that in your application.
There's no need to store it outside of the root directory because if someone
tries to access the file, it will be processed by the server. I would avoid
the XML approach though... less secure (if it was accessible via the web
somehow).

I
know of and have used methods to store connection strings in the registry of the server.

The problem with that is that if the server ever changes, your application
could stop working. That is, if the site is ever moved to a new server. In
addition, if your site is hosted, the chances of the host letting you add
something to the registry seem pretty slim to me. Plus, if I'm not
mistaken, registry access is slow, so it could affect performance.

My thinking is the optimal solution involves some form of
encryption and locating the string outside of the site itself.

Encryption? That could affect performance. I would avoid it if other
methods meet your needs.
Locating the string outside of the site itself? This adds some work, and I
would avoid it if other methods meet your needs.

My suggestion is to take an n-tier approach, puttting your data access
methods into a single ASP file, and including that file in the pages that
need database access. This file would include the connection string, and
would not need to be encrypted or stored in a folder outside of the web
site. The only way anyone will see the contents of the file would be if
they had direct access to the server, in which case there would be very
little you could do anyway.

Regards,
Peter Foti

Jul 19 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.