First let me say, if you want real security, you will have to pay for it,
most of the low cost providers will let you have it but will charge you for
it. Otherwise you me need to find another provider. The same people that can
get at your web.config to read the password to your database will likely
already have access to your database with out your password. (Did that make
sense? It's so hard to tell)
That being said, I am in the same situation with my provider, so at the risk
of being chastised, here is what I have done: (I don't store any of this in
the Web.config, I use XML serialization to store it in it's own XML file)
I have a class that handles the database connection string, and it stores
the critical data (user name and password in an encrypted byte array) I have
overridden ToString() to give me the whole connection string when I ask for
it with the parts un-encrypted. Some thing like this:
public class DatabaseConnect ion
{
private byte[] _userid;
private byte[] _password;
public byte[] UserID
{
get { return _userid; }
set { _userid = value; }
}
public byte[] Password
{
get { return _password; }
set { _password = value; }
}
public string SetUserID(strin g user)
{
UserID = Globals.Encrypt (user);
}
private string GetUserID()
{
return Globals.Decrypt (_userid);
}
public string SetPassword(str ing pass)
{
Password = Globals.Encrypt (pass);
}
private string GetPassword()
{
return Globals.Decrypt (_password);
}
public override string ToString()
{
return string.Format(" user id={0}; password={1}; blah blah blah",
GetUserId(), GetPassword());
}
}
then Globals looks like this:
public class Globals
{
public static byte[] Encrypt(string s)
{
System.Text.ASC IIEncoding encoder = new System.Text.ASC IIEncoding();
return EncryptByteArra y(encoder.GetBy tes(s));
}
public static string Decrypt(byte[] b)
{
System.Text.ASC IIEncoding encoder = new System.Text.ASC IIEncoding();
byte[] result = DecryptByteArra y(b);
return encoder.GetStri ng(result);
}
// Encryption keys, fill in with byte values (0-255)
private static byte[] RC2Key = {0x0,0x0,0x0,0x 0,0xe0,0x0,0x0, 0x0}; //
<==Make up your own
private static byte[] RC2IV = {0x0,0x0,0x0,0x 0,0x0,0x0,0x0,0 x0}; //
<==Make up your own
private static byte[] EncryptByteArra y(byte[] value)
{
System.Security .Cryptography.R C2CryptoService Provider crypto = new
System.Security .Cryptography.R C2CryptoService Provider();
byte[] buffer;
System.Security .Cryptography.C ryptoStream clearTextStream ;
System.IO.Memor yStream cypherTextStrea m;
byte[] result;
buffer = value;
cypherTextStrea m = new System.IO.Memor yStream();
clearTextStream = new
System.Security .Cryptography.C ryptoStream(cyp herTextStream,
crypto.CreateEn cryptor(RC2Key, RC2IV),
System.Security .Cryptography.C ryptoStreamMode .Write);
clearTextStream .Write(buffer, 0, buffer.Length);
clearTextStream .FlushFinalBloc k();
result = cypherTextStrea m.ToArray();
return result;
}
private static byte[] DecryptByteArra y(byte[] value)
{
System.Security .Cryptography.R C2CryptoService Provider crypto = new
System.Security .Cryptography.R C2CryptoService Provider();
byte[] buffer;
System.Security .Cryptography.C ryptoStream cypherTextStrea m;
System.IO.Memor yStream clearTextStream ;
byte[] result;
buffer = value;
clearTextStream = new System.IO.Memor yStream();
cypherTextStrea m = new
System.Security .Cryptography.C ryptoStream(cle arTextStream,
crypto.CreateDe cryptor(RC2Key, RC2IV),
System.Security .Cryptography.C ryptoStreamMode .Write);
cypherTextStrea m.Write(buffer, 0, buffer.Length);
cypherTextStrea m.FlushFinalBlo ck();
result = clearTextStream .ToArray();
return result;
}
}
There it is, FWIW.
Brian W
As the risk of being chastized here it wat
"Charlie@CB FC" <ch*****@comcas t.net> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. ..
Hi:
I'm storing my dB connection in web.config file. Since it will be easily
read by opening file, what is a good way to secure it?
Thanks,
Charlie