473,324 Members | 2,214 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,324 software developers and data experts.

How do I make my database secure?

I have a sql server database hosted by an ISP. It has credit card
fields. I want to make the database secure.
My asp.net pages refer to the database as follows:
strConnection =
ConfigurationSettings.AppSettings["ConnectionInformation"];
Which means they get the connectionstring for the database from a
web.config file.
The web.config file has the following tags:
<appSettings>
<add key="ConnectionInformation"
value="Server=sql2k5.earthweb.com;Database=merc_On e;uid=usa_hvtest;password=vinyl"
/>
</appSettings>
Is there some way to encrypt the connection string? Would it be
encrypted in the web.config? Could some hacker get at the web.config?
Are there any other security measures I could take? For instance,
could the creditcard fields be encrypted in the database?
Thanks in advance for any pointers.
-- Marvin

Nov 20 '05 #1
5 1585
unless you are on a dedicated server, you are not too secure. other websites
hosted by asp.net have permission to open your web config and read it (as
the asp.net process need access).

asp.net allows encryption by storing the connect string in the registry, but
your isp would have to support this. you could encrypt it yourself, but the
trick is where to store the key (other sites have access to bin, and can
decompile your code to see the decryption code). you should also encrypt in
the database, because you need to secure backups also. when the banks
exposed their cc list, it was thru a lost backup tape.

..net has encryption routines, you shoudl look at using them.

-- bruce (sqlwork.com)


"COHENMARVIN" <co*********@hotmail.com> wrote in message
news:11**********************@g43g2000cwa.googlegr oups.com...
I have a sql server database hosted by an ISP. It has credit card
fields. I want to make the database secure.
My asp.net pages refer to the database as follows:
strConnection =
ConfigurationSettings.AppSettings["ConnectionInformation"];
Which means they get the connectionstring for the database from a
web.config file.
The web.config file has the following tags:
<appSettings>
<add key="ConnectionInformation"
value="Server=sql2k5.earthweb.com;Database=merc_On e;uid=usa_hvtest;password=vinyl"
/>
</appSettings>
Is there some way to encrypt the connection string? Would it be
encrypted in the web.config? Could some hacker get at the web.config?
Are there any other security measures I could take? For instance,
could the creditcard fields be encrypted in the database?
Thanks in advance for any pointers.
-- Marvin

Nov 20 '05 #2
Besides what said in other post, when storing sensitive data, such as credit
card info, you should not store the data in database as clear text. You
should encrypt the data itself before place it into database. And then when
your app reads these data, you decrypt them. So that the data is not
physically readable by anyone other than your app.

"COHENMARVIN" <co*********@hotmail.com> wrote in message
news:11**********************@g43g2000cwa.googlegr oups.com...
I have a sql server database hosted by an ISP. It has credit card
fields. I want to make the database secure.
My asp.net pages refer to the database as follows:
strConnection =
ConfigurationSettings.AppSettings["ConnectionInformation"];
Which means they get the connectionstring for the database from a
web.config file.
The web.config file has the following tags:
<appSettings>
<add key="ConnectionInformation"
value="Server=sql2k5.earthweb.com;Database=merc_On e;uid=usa_hvtest;password=vinyl"
/>
</appSettings>
Is there some way to encrypt the connection string? Would it be
encrypted in the web.config? Could some hacker get at the web.config?
Are there any other security measures I could take? For instance,
could the creditcard fields be encrypted in the database?
Thanks in advance for any pointers.
-- Marvin

Nov 20 '05 #3
Even with encryption, the system has to have a key, and in a shared
hosting environment, it is going to be extremely difficult to come up
with a way to protect that key .... If someone is able to penetrate the
system and get direct access to the SQL Server .... then chances are
they are going to be able to scan your code to find the encryption keys,
or how you are obfuscating them.

Norman Yuan wrote:
Besides what said in other post, when storing sensitive data, such as credit
card info, you should not store the data in database as clear text. You
should encrypt the data itself before place it into database. And then when
your app reads these data, you decrypt them. So that the data is not
physically readable by anyone other than your app.

"COHENMARVIN" <co*********@hotmail.com> wrote in message
news:11**********************@g43g2000cwa.googlegr oups.com...
I have a sql server database hosted by an ISP. It has credit card
fields. I want to make the database secure.
My asp.net pages refer to the database as follows:
strConnection =
ConfigurationSettings.AppSettings["ConnectionInformation"];
Which means they get the connectionstring for the database from a
web.config file.
The web.config file has the following tags:
<appSettings>
<add key="ConnectionInformation"
value="Server=sql2k5.earthweb.com;Database=merc_ One;uid=usa_hvtest;password=vinyl"
/>
</appSettings>
Is there some way to encrypt the connection string? Would it be
encrypted in the web.config? Could some hacker get at the web.config?
Are there any other security measures I could take? For instance,
could the creditcard fields be encrypted in the database?
Thanks in advance for any pointers.
-- Marvin


Nov 20 '05 #4
On Thu, 17 Nov 2005 11:04:56 -0800, "Bruce Barker"
<br******************@safeco.com> wrote:
unless you are on a dedicated server, you are not too secure. other websites
hosted by asp.net have permission to open your web config and read it (as
the asp.net process need access).


That's where code access security and running under partial trust come
in:
http://odetocode.com/Blogs/scott/arc...0/28/2394.aspx

--
Scott
http://www.OdeToCode.com/blogs/scott/
Nov 20 '05 #5
You could try to talk your ISP into importing a Key and follow one of the
docs on how to use aspnet_regiis to create a RSA key and export to them.
--
kr**@n-sv.com.<Remove This Before Emailing>

Network & Software Integration
www.n-sv.com

"Helping put the pieces of your IT puzzle together"
"COHENMARVIN" wrote:
I have a sql server database hosted by an ISP. It has credit card
fields. I want to make the database secure.
My asp.net pages refer to the database as follows:
strConnection =
ConfigurationSettings.AppSettings["ConnectionInformation"];
Which means they get the connectionstring for the database from a
web.config file.
The web.config file has the following tags:
<appSettings>
<add key="ConnectionInformation"
value="Server=sql2k5.earthweb.com;Database=merc_On e;uid=usa_hvtest;password=vinyl"
/>
</appSettings>
Is there some way to encrypt the connection string? Would it be
encrypted in the web.config? Could some hacker get at the web.config?
Are there any other security measures I could take? For instance,
could the creditcard fields be encrypted in the database?
Thanks in advance for any pointers.
-- Marvin

Dec 16 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Sarah Tanembaum | last post by:
I was wondering if it is possible to create a secure database system using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc)...
8
by: peter | last post by:
I have taken over the website duties at work. I am still learning PHP and MySQL. I want to have a form where the user enters some finacial info and it is stored in a database. It, obviously,...
4
by: Ant | last post by:
I am trying to apply security to a database I have just finished. The application is split into a back end of tables and a front end of forms etc. I need some users to have access to forms based on...
9
by: CMan | last post by:
Hi , We have a internal database application which we now need to update from a website hosted at an external site. We want users to be able to come to the website and see their very latest...
6
by: cj | last post by:
I'm tryin to set up a sqlcommand in VB.NET that would issue the command: insert into server1.database.owner.table select * from server2.database.owner.table Since this sqlcommand has it's...
1
by: Martin | last post by:
Is there a way to create and encrypted database file? What do people do when data security is important at the file level? In other words, you don't want anyone to be able to take the database...
2
by: D | last post by:
If you secure an MSACCESS Database using a Workgroup Information File WIF and then setting up permissions removing the Admin user from the its default group, repalce it with another named user,...
10
by: Les Desser | last post by:
In article <fcebdacd-2bd8-4d07-93a8-8b69d3452f3e@s50g2000hsb.googlegroups.com>, The Frog <Mr.Frog.to.you@googlemail.comMon, 14 Apr 2008 00:45:10 writes Not sure if I quite follow that. 1....
10
by: sparks | last post by:
We have a database with NO security on a network drive. Seems that some IT person went in and created a security.mdw Now no one can log into the database. Is there a way to get rid of this and...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.