473,473 Members | 1,723 Online
Bytes | Software Development & Data Engineering Community
Create Post

Home Posts Topics Members FAQ

Protecting database connection string

Hello,
I know this is probably a hudge topic to discuss and
there are lots of different ways of implementation, but I
still would like to ask and hear the most commonly used
techniques for this.
Basically I have an ASP.NET application, and my
connection string currently is stored in a constant
public variable in one of my classes. The reason for that
is so that I only have one place to change the connection
string when I deploy it on a production server that uses
a different database. Now the problem with my method is
that the connection string can be potentially accessed by
an unauthorized person, which would expose the Database
information (as it contains IP, Port and UID and
password).

I read the article at
http://msdn.microsoft.com/msdnmag/is...1/ProtectYourD
ata/default.aspx
and although it does have some great suggestions, I find
it is directed for windows apps more than web apps (or at
least not web apps hosted with shared hosting services,
where some of the features are not available, like
Windows Authentication, etc...). That's why I'm
interested in hearing about what other common
techniques are used for the web apps by other people.

Do you have any suggestions on how I could protect this
connection string, but still be able to access it by my
other classes (to have a one point change), i.e.
encryption or a different method of stroing it?

Thank you for your help in advance.

Merci,
Krista Lemieux
Nov 18 '05 #1
4 2193

I use the web.config to store my connection details.
Mind you we encrypt the string and then once the site goes up and the connection string is needed we decrypt it and then store in an application var.

Also as some added securtiy... all dataaccess goes through SP's, this way we create 1 user that has no access to tables and only execute access for SP's and functions. THis way we control what informatin is available even if they do get the details.
"Krista Lemieux" <ki***********@hotmail.com> wrote in message news:61****************************@phx.gbl...
Hello,
I know this is probably a hudge topic to discuss and
there are lots of different ways of implementation, but I
still would like to ask and hear the most commonly used
techniques for this.
Basically I have an ASP.NET application, and my
connection string currently is stored in a constant
public variable in one of my classes. The reason for that
is so that I only have one place to change the connection
string when I deploy it on a production server that uses
a different database. Now the problem with my method is
that the connection string can be potentially accessed by
an unauthorized person, which would expose the Database
information (as it contains IP, Port and UID and
password).

I read the article at
http://msdn.microsoft.com/msdnmag/is...1/ProtectYourD
ata/default.aspx
and although it does have some great suggestions, I find
it is directed for windows apps more than web apps (or at
least not web apps hosted with shared hosting services,
where some of the features are not available, like
Windows Authentication, etc...). That's why I'm
interested in hearing about what other common
techniques are used for the web apps by other people.

Do you have any suggestions on how I could protect this
connection string, but still be able to access it by my
other classes (to have a one point change), i.e.
encryption or a different method of stroing it?

Thank you for your help in advance.

Merci,
Krista Lemieux

Nov 18 '05 #2
We are using impersonation, storing encrypted credintals in registry and trusting relationship between Web app and Sql server. In web.config file:

<authentication mode=”Windows”>
<identity impersonate=”true”
userName="registry:HKLM\SOFTWARE\SecureApp\identit y\ASPNET_SETREG,userName" password="registry:HKLM\SOFTWARE\SecureApp\identit y\ASPNET_SETREG,password" />

and

<add key="ConnectionString" value="Data Source=Server; Initial Catalog=DBase; Integrated Security=SSPI; " />

In that way credintals are never exposed and when web application connects to the database, credintals are not passed over the network.

"Krista Lemieux" wrote:
Hello,
I know this is probably a hudge topic to discuss and
there are lots of different ways of implementation, but I
still would like to ask and hear the most commonly used
techniques for this.
Basically I have an ASP.NET application, and my
connection string currently is stored in a constant
public variable in one of my classes. The reason for that
is so that I only have one place to change the connection
string when I deploy it on a production server that uses
a different database. Now the problem with my method is
that the connection string can be potentially accessed by
an unauthorized person, which would expose the Database
information (as it contains IP, Port and UID and
password).

I read the article at
http://msdn.microsoft.com/msdnmag/is...1/ProtectYourD
ata/default.aspx
and although it does have some great suggestions, I find
it is directed for windows apps more than web apps (or at
least not web apps hosted with shared hosting services,
where some of the features are not available, like
Windows Authentication, etc...). That's why I'm
interested in hearing about what other common
techniques are used for the web apps by other people.

Do you have any suggestions on how I could protect this
connection string, but still be able to access it by my
other classes (to have a one point change), i.e.
encryption or a different method of stroing it?

Thank you for your help in advance.

Merci,
Krista Lemieux

Nov 18 '05 #3
"Krista Lemieux" <ki***********@hotmail.com> wrote in message
news:61****************************@phx.gbl...
Do you have any suggestions on how I could protect this
connection string, but still be able to access it by my
other classes (to have a one point change), i.e.
encryption or a different method of stroing it?


I use web.config plus encryption. Here's one I did recently:

<add key="SQLConnectionString"
value="/jrER8bDAM/Ce6BWkcjtNVpLTFJBFnNdxnjlEIBskR3OwgbYB5qoT+drQtI67 nBtDyc4T
AeOmKm+cNOd4vP5r3v107nr4hzIO2DFdERDVjuuSHd50ThIjKp 992gJveP3I+v6D4rQ80=" />
Nov 18 '05 #4
Check out this article:
http://msdn.microsoft.com/library/de...SecNetHT08.asp

"Krista Lemieux" wrote:
Hello,
I know this is probably a hudge topic to discuss and
there are lots of different ways of implementation, but I
still would like to ask and hear the most commonly used
techniques for this.
Basically I have an ASP.NET application, and my
connection string currently is stored in a constant
public variable in one of my classes. The reason for that
is so that I only have one place to change the connection
string when I deploy it on a production server that uses
a different database. Now the problem with my method is
that the connection string can be potentially accessed by
an unauthorized person, which would expose the Database
information (as it contains IP, Port and UID and
password).

I read the article at
http://msdn.microsoft.com/msdnmag/is...1/ProtectYourD
ata/default.aspx
and although it does have some great suggestions, I find
it is directed for windows apps more than web apps (or at
least not web apps hosted with shared hosting services,
where some of the features are not available, like
Windows Authentication, etc...). That's why I'm
interested in hearing about what other common
techniques are used for the web apps by other people.

Do you have any suggestions on how I could protect this
connection string, but still be able to access it by my
other classes (to have a one point change), i.e.
encryption or a different method of stroing it?

Thank you for your help in advance.

Merci,
Krista Lemieux

Nov 18 '05 #5
Create Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
4
Obfuscation: Not just for protecting intellectual property
by: Jonathan Henderson | last post by:
Obfuscators aren't only used for protecting intellectual property. See the hacker demo at this link: http://www.preemptive.com/documentation/NetHackerDemo.html For those who don't know what...
Latest Bytes
6
protecting .NET assemblies from hackers
by: Nate A | last post by:
I am at the beginning stages of writing a massive database-connected business management application using the .NET framework and am becoming worried about the security of the application upon...
Latest Bytes
3
How to enter data in a SQL database?
by: markaelkins | last post by:
I want to create a simple user interface to collect the following data and store the data in a SQL database…. Could someone please help me get started? Data to collect from user interface and...
Latest Bytes
4
Database not Found
by: Bernardo Heynemann | last post by:
The following block of code gives me an error. MultiBD is my class for multiple databases. connection= MultiBd.GetConnection(DataProviderType.OLEDB); connection.ConnectionString =...
Latest Bytes
3
custom action to modify a database with web project installer
by: DC Gringo | last post by:
Hi, I'm trying to use a custom action to modify a database (rather than create one) using the VS.NET '03's help example called "Custom Action to Create Database During Installation". I've made...
Latest Bytes
18
Protecting files on the server.
by: UJ | last post by:
Folks, We provide custom content for our customers. Currently we put the files on our server and people have a program we provide that will download the files. These files are usually SWF, HTML or...
Latest Bytes
5
Database Connection - Development to Production
by: Matt | last post by:
Hello, What is the best way to handle the database connection string for a class library project that will be compiled and used as a .dll? This .dll will be accessed via classic ASP and in...
Latest Bytes
22
Frinavale
How To Use A Database In Your Program
by: Frinavale | last post by:
How To Use A Database In Your Program Many .NET solutions are database driven and so many of us often wonder how to access the database. To help you understand the answer to this question I've...
Latest Bytes
1
Curtis Rutland
How To Use A Database In Your Program Part II
by: Curtis Rutland | last post by:
How To Use A Database In Your Program Part II This article is intended to extend Frinnys excellent article: How to Use a Database in Your Program. Frinnys article defines the basic concepts...
Latest Bytes
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Latest Bytes
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Latest Bytes
1
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Latest Bytes
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
Latest Bytes
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development projectplanning, coding, testing,...
Latest Bytes
0
Couldnt get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
Latest Bytes
0
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The...
Latest Bytes
0
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Latest Bytes
0
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
Latest Bytes

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us