473,581 Members | 2,757 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

.Net Connection String Security

Frinavale
9,735 Recognized Expert Moderator Expert
I currently have a .NET application that has an object which passes a string (a connection string) as a parameter to another object that does database manipulation.

This string isn't stored anywhere else and is only used by this behind-the-scenes object to provide the database manipulation object with a connection string.

Does my connection string pose a security problem when it is inside the code like this?

Or are connection strings only at risk when they are listed in an web.config file?

Why would you want to put your connection string in a web.config file as apposed to putting it directly into code as I have done?

Are hackers able to get into a compiled project and extract the value of a string inside an object used with that project? How???

I'm kind of confused and would love some clarification.

Thanks

-Frinny
Feb 15 '07 #1
7 2096
chazcross
31 New Member
The web.config file is the best place for it. Not only having a single known place where you can update it, you can also easily encrypt it.

The VS designers places database credintials in the web.config file itself.
Feb 15 '07 #2
Frinavale
9,735 Recognized Expert Moderator Expert
The web.config file is the best place for it. Not only having a single known place where you can update it, you can also easily encrypt it.

The VS designers places database credintials in the web.config file itself.
Why is the web.config the best place to put my connection string?

I only use it in that one class...which just passes it as a parameter to another object that is included as a resource in my project.

Can people see this string somehow inside my code?

My code isn't even on the server...its only on my development server.

I still don't understand.

-Frinny
Feb 15 '07 #3
bobneedshelp
17 New Member
Why is the web.config the best place to put my connection string?

I only use it in that one class...which just passes it as a parameter to another object that is included as a resource in my project.

Can people see this string somehow inside my code?

My code isn't even on the server...its only on my development server.

I still don't understand.

-Frinny
I'll assume your app is exposed to the web and not sure exactly what you're worried about or trying to protect against. Security from hacking comes in layers and just isn't about where the sql statement is.
Feb 15 '07 #4
Motoma
3,237 Recognized Expert Specialist
Why is the web.config the best place to put my connection string?

I only use it in that one class...which just passes it as a parameter to another object that is included as a resource in my project.

Can people see this string somehow inside my code?

My code isn't even on the server...its only on my development server.

I still don't understand.

-Frinny
Security issues can come in if you have debugging on, or if your app is set to display error messages. Often with ASP, you can configure your server to display lines of actual code for debugging purposes.

If someone were to actually get your application, they could run it through a .NET Decompiler such as Dis#. But then, if that happened, you have worse things to worry about than your connection string, mainly the giant gaping security hole.
Feb 16 '07 #5
Frinavale
9,735 Recognized Expert Moderator Expert
I'll assume your app is exposed to the web and not sure exactly what you're worried about or trying to protect against. Security from hacking comes in layers and just isn't about where the sql statement is.
Well, basically I've never thought about web-application security before because I've never had sensitive data that people would be able to access if my web-sites were hacked.

I was (and still am) looking up what types of hacking are out there and how to prevent them.

So far I'm pretty happy with what security I have naturally put into place without knowing about web-application security. It just seems natural to not let anyone see any errors...even if it is an IIS error...I don't even want them to know what type of server I'm running....it also seems natural to make sure that the user input is clean of unwanted data....and that it is valid data. It seems pretty stupid to store personal information in sessions or cookies so I don't (I probably will in the future...but I'll have to learn how to properly encrypt such data)

Anyways, while I was doing research I starting to get into the database insertion attacks and part of the recommendations to prevent this is to encrypt your database connection string in the web.config file.

I remember learning that it was almost a standard to put the connection string in the web.config but I never could figure out why? I understood that by putting it there it could be accessed from anywhere in the application but I always group my database manipulation stuff together and have one class handle it. In the case of the application I'm trying to secure, its a set of classes and its code isn't even in the project...I have developed an outside DLL to do this for me and its placed within a system folder under one more layer of security.

I'm probably going to remain kind of fuzzy on why the connection string should be put in the web.config file...but that's okay for now. I'm pretty sure it is safe within my application.... .for the most part

Thanks for all your help.

-Frinny
Feb 16 '07 #6
Frinavale
9,735 Recognized Expert Moderator Expert
I'm moving the database manipulation out of the system folder....it seems to be one more place that a hacker might be able to gain access in. Even if I set the folder permissions...I don't want to compromise the server.
This security risk I didn't consider.
Feb 16 '07 #7
ggibson1
3 New Member
You can either use .Net 2.0 built in web.config encryption or you can use a tool like Assembly Lockbox ( http://alb.gibwo.com ) to encrypt the entire dll that your code is in... that will protect the connection string and all the other code as well.
Jul 7 '07 #8

Sign in to post your reply or Sign up for a free account.

Similar topics

6
11771
by: Keith Norris | last post by:
I am having a problem connecting to my SQL Server with the following ASP code: set cn = server.createobject("adodb.connection") cn.connectionstring = "Provider=sqloledb; data source=midatlanticus; Integrated Security=SSPI" cn.open But, if I use the same connection string in a VB program, I connect successfully. The VB code that works...
4
5614
by: Rahul Anand | last post by:
Getting SQL Exception when trying to implement Connection based Trasaction using SQL Helper class. I am using the follwing function to execute my stored procs: -=-=-=- ExecuteScalar(ByVal transaction As SqlTransaction, _ ByVal spName As String, _ ByVal ParamArray parameterValues() As Object)
3
1991
by: Alberto | last post by:
I have an object SqlConnection and I changed the connection string property in the properties windows. The object works fine but if I do the same declaring the object connection by code and with the same connection string property, doesn't work. It can't connect to the database. What's happening?? Thank you
4
1244
by: Roy Gourgi | last post by:
Hi, I just install MSDE 2000 on my computer and I am trying to make a connection with the server but it does not seem to be working. What am I doing wrong in the code below? When I open my Server Explorer I see Data Connections and Servers. Do I have to make a physical connection of some sort first? In the Servers section, I see that it...
4
6722
by: Charlie | last post by:
Hi: I'm storing my dB connection in web.config file. Since it will be easily read by opening file, what is a good way to secure it? Thanks, Charlie
14
3486
by: WebMatrix | last post by:
Hello, I have developed a web application that connects to 2 different database servers. The connection strings with db username + password are stored in web.config file. After a code review, one developer suggested that it's a security flaw; therefore connection strings should be kept somewhere else or encrypted. My argument is that...
10
3155
by: Steven Blair | last post by:
As I understand it, if I create a connection object in my application and close the connection, the next time I open a connection with the same connection string I should be using a pooled connection? Is this possible over different instances of a class. For example Instance 1 of my dll is alive and creates a connection to a Database....
1
6050
by: Sankalp | last post by:
Hi, I am using VB 2005. My application has many data bound controls. The connection is stored in the app.config file. I want the application to start with a default connection string and while during the runtime, the user can click on a button and change the connection string without exiting the application. I would really appreciate...
13
2834
by: Jennifer.Berube | last post by:
well I'm not sure how to go about making my SQL connection string... The code below is what I need to replace with my SQL connection...I just don't know if that code is for DSN or access... I don't want to use DSN just a connection string...help? function GetConnection() const DSN = "membershipdb" const UID = "webuser"
8
6324
by: Brett | last post by:
I wrote an ASP.NET application that queries a SQL Server database (on a different box from the web server) and displays the result in a GridView. The datasource for the GridView is a SQLDataSource. Just to get it to work, I hard-coded the username and password of a SQL Server account in the connectionstring in web.config. Once I confirmed...
0
7804
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
8310
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
7910
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
8180
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
6563
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
0
3809
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3832
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1409
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
1144
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.