I'll assume your app is exposed to the web and not sure exactly what you're worried about or trying to protect against. Security from hacking comes in layers and just isn't about where the sql statement is.
Well, basically I've never thought about web-application security before because I've never had sensitive data that people would be able to access if my web-sites were hacked.
I was (and still am) looking up what types of hacking are out there and how to prevent them.
So far I'm pretty happy with what security I have naturally put into place without knowing about web-application security. It just seems natural to not let anyone see any errors...even if it is an IIS error...I don't even want them to know what type of server I'm running....it also seems natural to make sure that the user input is clean of unwanted data....and that it is valid data. It seems pretty stupid to store personal information in sessions or cookies so I don't (I probably will in the future...but I'll have to learn how to properly encrypt such data)
Anyways, while I was doing research I starting to get into the database insertion attacks and part of the recommendations to prevent this is to encrypt your database connection string in the web.config file.
I remember learning that it was almost a standard to put the connection string in the web.config but I never could figure out why? I understood that by putting it there it could be accessed from anywhere in the application but I always group my database manipulation stuff together and have one class handle it. In the case of the application I'm trying to secure, its a set of classes and its code isn't even in the project...I have developed an outside DLL to do this for me and its placed within a system folder under one more layer of security.
I'm probably going to remain kind of fuzzy on why the connection string should be put in the web.config file...but that's okay for now. I'm pretty sure it is safe within my application.....for the most part
Thanks for all your help.
-Frinny