I have a sql server database hosted by an ISP. It has credit card
fields. I want to make the database secure.
My asp.net pages refer to the database as follows:
strConnection =
ConfigurationSe ttings.AppSetti ngs["ConnectionInfo rmation"];
Which means they get the connectionstrin g for the database from a
web.config file.
The web.config file has the following tags:
<appSettings>
<add key="Connection Information"
value="Server=s ql2k5.earthweb. com;Database=me rc_One;uid=usa_ hvtest;password =vinyl"
/>
</appSettings>
Is there some way to encrypt the connection string? Would it be
encrypted in the web.config? Could some hacker get at the web.config?
Are there any other security measures I could take? For instance,
could the creditcard fields be encrypted in the database?
Thanks in advance for any pointers.
-- Marvin 5 1612
unless you are on a dedicated server, you are not too secure. other websites
hosted by asp.net have permission to open your web config and read it (as
the asp.net process need access).
asp.net allows encryption by storing the connect string in the registry, but
your isp would have to support this. you could encrypt it yourself, but the
trick is where to store the key (other sites have access to bin, and can
decompile your code to see the decryption code). you should also encrypt in
the database, because you need to secure backups also. when the banks
exposed their cc list, it was thru a lost backup tape.
..net has encryption routines, you shoudl look at using them.
-- bruce (sqlwork.com)
"COHENMARVI N" <co*********@ho tmail.com> wrote in message
news:11******** **************@ g43g2000cwa.goo glegroups.com.. . I have a sql server database hosted by an ISP. It has credit card fields. I want to make the database secure. My asp.net pages refer to the database as follows: strConnection = ConfigurationSe ttings.AppSetti ngs["ConnectionInfo rmation"]; Which means they get the connectionstrin g for the database from a web.config file. The web.config file has the following tags: <appSettings> <add key="Connection Information" value="Server=s ql2k5.earthweb. com;Database=me rc_One;uid=usa_ hvtest;password =vinyl" /> </appSettings> Is there some way to encrypt the connection string? Would it be encrypted in the web.config? Could some hacker get at the web.config? Are there any other security measures I could take? For instance, could the creditcard fields be encrypted in the database? Thanks in advance for any pointers. -- Marvin
Besides what said in other post, when storing sensitive data, such as credit
card info, you should not store the data in database as clear text. You
should encrypt the data itself before place it into database. And then when
your app reads these data, you decrypt them. So that the data is not
physically readable by anyone other than your app.
"COHENMARVI N" <co*********@ho tmail.com> wrote in message
news:11******** **************@ g43g2000cwa.goo glegroups.com.. . I have a sql server database hosted by an ISP. It has credit card fields. I want to make the database secure. My asp.net pages refer to the database as follows: strConnection = ConfigurationSe ttings.AppSetti ngs["ConnectionInfo rmation"]; Which means they get the connectionstrin g for the database from a web.config file. The web.config file has the following tags: <appSettings> <add key="Connection Information" value="Server=s ql2k5.earthweb. com;Database=me rc_One;uid=usa_ hvtest;password =vinyl" /> </appSettings> Is there some way to encrypt the connection string? Would it be encrypted in the web.config? Could some hacker get at the web.config? Are there any other security measures I could take? For instance, could the creditcard fields be encrypted in the database? Thanks in advance for any pointers. -- Marvin
Even with encryption, the system has to have a key, and in a shared
hosting environment, it is going to be extremely difficult to come up
with a way to protect that key .... If someone is able to penetrate the
system and get direct access to the SQL Server .... then chances are
they are going to be able to scan your code to find the encryption keys,
or how you are obfuscating them.
Norman Yuan wrote: Besides what said in other post, when storing sensitive data, such as credit card info, you should not store the data in database as clear text. You should encrypt the data itself before place it into database. And then when your app reads these data, you decrypt them. So that the data is not physically readable by anyone other than your app.
"COHENMARVI N" <co*********@ho tmail.com> wrote in message news:11******** **************@ g43g2000cwa.goo glegroups.com.. .
I have a sql server database hosted by an ISP. It has credit card fields. I want to make the database secure. My asp.net pages refer to the database as follows: strConnecti on = Configuration Settings.AppSet tings["ConnectionInfo rmation"]; Which means they get the connectionstrin g for the database from a web.config file. The web.config file has the following tags: <appSetting s> <add key="Connection Information" value="Server =sql2k5.earthwe b.com;Database= merc_One;uid=us a_hvtest;passwo rd=vinyl" /> </appSettings> Is there some way to encrypt the connection string? Would it be encrypted in the web.config? Could some hacker get at the web.config? Are there any other security measures I could take? For instance, could the creditcard fields be encrypted in the database? Thanks in advance for any pointers. -- Marvin
On Thu, 17 Nov 2005 11:04:56 -0800, "Bruce Barker"
<br************ ******@safeco.c om> wrote: unless you are on a dedicated server, you are not too secure. other websites hosted by asp.net have permission to open your web config and read it (as the asp.net process need access).
That's where code access security and running under partial trust come
in: http://odetocode.com/Blogs/scott/arc...0/28/2394.aspx
--
Scott http://www.OdeToCode.com/blogs/scott/
You could try to talk your ISP into importing a Key and follow one of the
docs on how to use aspnet_regiis to create a RSA key and export to them.
-- kr**@n-sv.com.<Remove This Before Emailing>
Network & Software Integration www.n-sv.com
"Helping put the pieces of your IT puzzle together"
"COHENMARVI N" wrote: I have a sql server database hosted by an ISP. It has credit card fields. I want to make the database secure. My asp.net pages refer to the database as follows: strConnection = ConfigurationSe ttings.AppSetti ngs["ConnectionInfo rmation"]; Which means they get the connectionstrin g for the database from a web.config file. The web.config file has the following tags: <appSettings> <add key="Connection Information" value="Server=s ql2k5.earthweb. com;Database=me rc_One;uid=usa_ hvtest;password =vinyl" /> </appSettings> Is there some way to encrypt the connection string? Would it be encrypted in the web.config? Could some hacker get at the web.config? Are there any other security measures I could take? For instance, could the creditcard fields be encrypted in the database? Thanks in advance for any pointers. -- Marvin
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Sarah Tanembaum |
last post by:
I was wondering if it is possible to create a secure database system
using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web
scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc) combination?
I have the following in mind:
I wanted to store all my( and my brothers and sisters) important
document
information such as birth certificate, SSN, passport number, travel
documents, insurance(car, home, etc) document, and other...
|
by: peter |
last post by:
I have taken over the website duties at work. I am still learning PHP
and MySQL. I want to have a form where the user enters some finacial
info and it is stored in a database. It, obviously, needs to be
secure. I know how to make the input form secure. But what about
retrieving the data? I was thinking I would use a password-protected
secure form for that. Is that enough? What if I happen to view the
records using PhpMyAdmin? Does...
|
by: Ant |
last post by:
I am trying to apply security to a database I have just finished. The
application is split into a back end of tables and a front end of forms etc.
I need some users to have access to forms based on some queries but not
others. My question is do I run the security wizard in the back end DB or
the front end? If I just do the front end I seem to have more control
(Queries, individual forms etc) but what’s to stop some one just opening the...
|
by: CMan |
last post by:
Hi ,
We have a internal database application which we now need to update from a
website hosted at an external site.
We want users to be able to come to the website and see their very latest
information. They should be able to update this data and submit it to a
holding area before it is checked by an operator and the live record
updated.
|
by: cj |
last post by:
I'm tryin to set up a sqlcommand in VB.NET that would issue the command:
insert into server1.database.owner.table select * from
server2.database.owner.table
Since this sqlcommand has it's connection property set to a connection
string for server1 I'm assuming it isn't seeing server2 -- I get invalid
object name server2.
How can I get one sql statement to reference multiple servers?
| |
by: Martin |
last post by:
Is there a way to create and encrypted database file?
What do people do when data security is important at the file level? In
other words, you don't want anyone to be able to take the database file (or
files) and extract data from them.
Ideally, I want a file the is absolutely encrypted on disk and that is
decrypted for data access. The problem, obviously, is that this would be a
very costly (cpu time) approach as you couldn't create...
|
by: D |
last post by:
If you secure an MSACCESS Database using a Workgroup Information File
WIF and then setting up permissions removing the Admin user from the
its default group, repalce it with another named user, transfer all
the ownership of objects to the new user. Then run the database
security wizard. If after this the mdb file is placed on a different
users PC which is still using the defauult system.mdw file should they
still be able to open the...
|
by: Les Desser |
last post by:
In article
<fcebdacd-2bd8-4d07-93a8-8b69d3452f3e@s50g2000hsb.googlegroups.com>, The
Frog <Mr.Frog.to.you@googlemail.comMon, 14 Apr 2008 00:45:10 writes
Not sure if I quite follow that.
1. Data encrypted by AES key
2. AES key encrypted with Asymmetric public key (?)
|
by: sparks |
last post by:
We have a database with NO security on a network drive.
Seems that some IT person went in and created a security.mdw
Now no one can log into the database.
Is there a way to get rid of this and get the database back to a
normal shared database?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| |
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |