J
J.S.
What are the pros and cons of putting the database connection information in
a DLL? Also, how does one do it? ;-)
Thanks,
J.S.
--
a DLL? Also, how does one do it? ;-)
Thanks,
J.S.
--
S
sreejith.ram
I guess a widely used approach is to use a appSetting key in Web.config
<appSettings>
<add key="DbConn_Str" value="Data Source=dsnamehere;User
ID=useridhere;Password=passwordhere;Initial Catalog=dbnamehere;" />
</appSettings>
Advantage is that u could change it any time without rebuilding the
application
<appSettings>
<add key="DbConn_Str" value="Data Source=dsnamehere;User
ID=useridhere;Password=passwordhere;Initial Catalog=dbnamehere;" />
</appSettings>
Advantage is that u could change it any time without rebuilding the
application
J
J.S.
Yes, that's what I am currently using but I was thinking of using a DLL
instead. I have also tried using the encryption feature in ASP.Net 2.0 to
encrypt that part of the web.config file but haven't got it working yet.
--
instead. I have also tried using the encryption feature in ASP.Net 2.0 to
encrypt that part of the web.config file but haven't got it working yet.
--
K
Kevin Spencer
To put a Connection String (or any string) into a .Net DLL, create a
project, and add a class. Make the string a field or property of the class.
Worrying about people reading your web.config file is, however, not
profitable. If your security is set up properly, a hacker can no more access
the web.config file than they can access your system files. It is disallowed
by IIS.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
Paranoia is just a state of mind.
project, and add a class. Make the string a field or property of the class.
Worrying about people reading your web.config file is, however, not
profitable. If your security is set up properly, a hacker can no more access
the web.config file than they can access your system files. It is disallowed
by IIS.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
Paranoia is just a state of mind.
J
J.S.
Kevin Spencer said:
Thanks, Kevin!
You are quite correct but I stumbled across the ASP.Net 2.0 feature to
encrypt the connection string in the .config file. That's how I started
thinking about this issue. However, that feature is a bit buggy in Beta 2
(I don't have the later CTPs) and the apsnet_regiis tool options weren't
very clear. Some of the folks offered other suggestions in a related thread
but I'll probably move on for now and try to figure out some of the other
things in ASP.Net 2.0.
Thanks,
J.S.
J
John Horst
I would encrypt the whole connection string if you are going to put it
in web.config. While Kevin is right about setting up security properly,
if your system is subject to any kind of regulatory auditing, that
explanation will not fly (more for political than technological
reasons).
I have worked in life sciences companies (pharmaceuticals/clinical labs)
and for financial management companies as well for the military and in
all of these environments, putting username/password info in cleartext
in web.config was an absolute no-no. Think a little about the
environment you are in and what kind of regulatory issues might apply
when considering this.
John
in web.config. While Kevin is right about setting up security properly,
if your system is subject to any kind of regulatory auditing, that
explanation will not fly (more for political than technological
reasons).
I have worked in life sciences companies (pharmaceuticals/clinical labs)
and for financial management companies as well for the military and in
all of these environments, putting username/password info in cleartext
in web.config was an absolute no-no. Think a little about the
environment you are in and what kind of regulatory issues might apply
when considering this.
John
J
J.S.
John Horst said:
John, do you use the aspnet_regiis tool for encrypting the connection string
or do you prefer some other method?
That's an excellent point... and one many should consider.
Thanks,
J.S.
G
Guest
I haven't made any .net dlls, but I used to put the connection string of asp
sites in a classic vb dll. That is, until I found a website saying that you
could open dlls with notepad and read half of what's in there - including
connection strings. I couldn't believe it at first, but I opened our db
connection dll in notepad, and sure enough I could read the connection string
as plain text. Needless to say my next project was encrypting it and adding
a decrypt to all the calls to connection string.
So if you try this with a .net dll, be sure and test it to see if you can
still read the dll in notepad. Encryption is pretty necessary if you're
worried about security.
sites in a classic vb dll. That is, until I found a website saying that you
could open dlls with notepad and read half of what's in there - including
connection strings. I couldn't believe it at first, but I opened our db
connection dll in notepad, and sure enough I could read the connection string
as plain text. Needless to say my next project was encrypting it and adding
a decrypt to all the calls to connection string.
So if you try this with a .net dll, be sure and test it to see if you can
still read the dll in notepad. Encryption is pretty necessary if you're
worried about security.
Kevin Spencer said:
J
J.S.
Did you use obfuscation for your DLL? I know they can be read quite easily
unless one uses obfuscation.
I'll probably just encrypt the connection string in the web.config for now.
Thanks,
J.S.
unless one uses obfuscation.
I'll probably just encrypt the connection string in the web.config for now.
Thanks,
J.S.
- Joined
- Mar 4, 2009
- Messages
- 17
- Reaction score
- 0
I think MD5 is the best & easy solution for encryption.