ASP.Net 2.0: Pros and cons of putting connection string in a DLL

Discussion in 'ASP .Net' started by J.S., Aug 29, 2005.

  1. J.S.

    J.S. Guest

    What are the pros and cons of putting the database connection information in
    a DLL? Also, how does one do it? ;-)

    Thanks,
    J.S.

    --
    J.S., Aug 29, 2005
    #1
    1. Advertising

  2. J.S.

    Guest

    Re: ASP.Net 2.0: Pros and cons of putting connection string in a DLL

    I guess a widely used approach is to use a appSetting key in Web.config

    <appSettings>
    <add key="DbConn_Str" value="Data Source=dsnamehere;User
    ID=useridhere;Password=passwordhere;Initial Catalog=dbnamehere;" />
    </appSettings>

    Advantage is that u could change it any time without rebuilding the
    application
    , Aug 29, 2005
    #2
    1. Advertising

  3. J.S.

    J.S. Guest

    Re: ASP.Net 2.0: Pros and cons of putting connection string in a DLL

    Yes, that's what I am currently using but I was thinking of using a DLL
    instead. I have also tried using the encryption feature in ASP.Net 2.0 to
    encrypt that part of the web.config file but haven't got it working yet.

    --
    J.S., Aug 29, 2005
    #3
  4. Re: ASP.Net 2.0: Pros and cons of putting connection string in a DLL

    To put a Connection String (or any string) into a .Net DLL, create a
    project, and add a class. Make the string a field or property of the class.

    Worrying about people reading your web.config file is, however, not
    profitable. If your security is set up properly, a hacker can no more access
    the web.config file than they can access your system files. It is disallowed
    by IIS.

    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    Paranoia is just a state of mind.

    "J.S." <> wrote in message
    news:...
    > Yes, that's what I am currently using but I was thinking of using a DLL
    > instead. I have also tried using the encryption feature in ASP.Net 2.0 to
    > encrypt that part of the web.config file but haven't got it working yet.
    >
    > --
    >
    >
    Kevin Spencer, Aug 29, 2005
    #4
  5. J.S.

    J.S. Guest

    Re: ASP.Net 2.0: Pros and cons of putting connection string in a DLL

    "Kevin Spencer" <> wrote in message
    news:...
    > To put a Connection String (or any string) into a .Net DLL, create a
    > project, and add a class. Make the string a field or property of the
    > class.


    Thanks, Kevin!

    > Worrying about people reading your web.config file is, however, not
    > profitable. If your security is set up properly, a hacker can no more
    > access the web.config file than they can access your system files. It is
    > disallowed by IIS.


    You are quite correct but I stumbled across the ASP.Net 2.0 feature to
    encrypt the connection string in the .config file. That's how I started
    thinking about this issue. However, that feature is a bit buggy in Beta 2
    (I don't have the later CTPs) and the apsnet_regiis tool options weren't
    very clear. Some of the folks offered other suggestions in a related thread
    but I'll probably move on for now and try to figure out some of the other
    things in ASP.Net 2.0. :)

    Thanks,
    J.S.
    J.S., Aug 29, 2005
    #5
  6. J.S.

    John Horst Guest

    I would encrypt the whole connection string if you are going to put it
    in web.config. While Kevin is right about setting up security properly,
    if your system is subject to any kind of regulatory auditing, that
    explanation will not fly (more for political than technological
    reasons).

    I have worked in life sciences companies (pharmaceuticals/clinical labs)
    and for financial management companies as well for the military and in
    all of these environments, putting username/password info in cleartext
    in web.config was an absolute no-no. Think a little about the
    environment you are in and what kind of regulatory issues might apply
    when considering this.

    John
    John Horst, Aug 29, 2005
    #6
  7. J.S.

    J.S. Guest

    "John Horst" <> wrote in message
    news:%...
    >I would encrypt the whole connection string if you are going to put it
    > in web.config. While Kevin is right about setting up security properly,
    > if your system is subject to any kind of regulatory auditing, that
    > explanation will not fly (more for political than technological
    > reasons).


    John, do you use the aspnet_regiis tool for encrypting the connection string
    or do you prefer some other method?

    > I have worked in life sciences companies (pharmaceuticals/clinical labs)
    > and for financial management companies as well for the military and in
    > all of these environments, putting username/password info in cleartext
    > in web.config was an absolute no-no. Think a little about the
    > environment you are in and what kind of regulatory issues might apply
    > when considering this.


    That's an excellent point... and one many should consider.

    Thanks,
    J.S.
    J.S., Aug 29, 2005
    #7
  8. Re: ASP.Net 2.0: Pros and cons of putting connection string in a D

    I haven't made any .net dlls, but I used to put the connection string of asp
    sites in a classic vb dll. That is, until I found a website saying that you
    could open dlls with notepad and read half of what's in there - including
    connection strings. I couldn't believe it at first, but I opened our db
    connection dll in notepad, and sure enough I could read the connection string
    as plain text. Needless to say my next project was encrypting it and adding
    a decrypt to all the calls to connection string.

    So if you try this with a .net dll, be sure and test it to see if you can
    still read the dll in notepad. Encryption is pretty necessary if you're
    worried about security.

    "Kevin Spencer" wrote:

    > To put a Connection String (or any string) into a .Net DLL, create a
    > project, and add a class. Make the string a field or property of the class.
    >
    > Worrying about people reading your web.config file is, however, not
    > profitable. If your security is set up properly, a hacker can no more access
    > the web.config file than they can access your system files. It is disallowed
    > by IIS.
    >
    > --
    > HTH,
    >
    > Kevin Spencer
    > Microsoft MVP
    > ..Net Developer
    > Paranoia is just a state of mind.
    >
    > "J.S." <> wrote in message
    > news:...
    > > Yes, that's what I am currently using but I was thinking of using a DLL
    > > instead. I have also tried using the encryption feature in ASP.Net 2.0 to
    > > encrypt that part of the web.config file but haven't got it working yet.
    > >
    > > --
    > >
    > >

    >
    >
    >
    =?Utf-8?B?d2JyaWFud2hpdGU=?=, Aug 29, 2005
    #8
  9. J.S.

    J.S. Guest

    Re: ASP.Net 2.0: Pros and cons of putting connection string in a D

    Did you use obfuscation for your DLL? I know they can be read quite easily
    unless one uses obfuscation.

    I'll probably just encrypt the connection string in the web.config for now.

    Thanks,
    J.S.

    --

    "wbrianwhite" <> wrote in message
    news:...
    >I haven't made any .net dlls, but I used to put the connection string of
    >asp
    > sites in a classic vb dll. That is, until I found a website saying that
    > you
    > could open dlls with notepad and read half of what's in there - including
    > connection strings. I couldn't believe it at first, but I opened our db
    > connection dll in notepad, and sure enough I could read the connection
    > string
    > as plain text. Needless to say my next project was encrypting it and
    > adding
    > a decrypt to all the calls to connection string.
    >
    > So if you try this with a .net dll, be sure and test it to see if you can
    > still read the dll in notepad. Encryption is pretty necessary if you're
    > worried about security.
    J.S., Aug 29, 2005
    #9
  10. J.S.

    tomahawk

    Joined:
    May 20, 2009
    Messages:
    1
    Some Thoughts

    You might want to consider that config files may be easier to spoof than dll's.
    tomahawk, May 20, 2009
    #10
  11. J.S.

    shawpnendu

    Joined:
    Mar 4, 2009
    Messages:
    17
    Location:
    Dhaka, Bangladesh
    I think MD5 is the best & easy solution for encryption.
    shawpnendu, May 20, 2009
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kumar Vijay Mishra

    PSL pros and cons

    Kumar Vijay Mishra, Sep 29, 2004, in forum: VHDL
    Replies:
    2
    Views:
    2,583
    vhdlcohen
    Oct 2, 2004
  2. Benny
    Replies:
    1
    Views:
    430
    Paul Wistrand
    Mar 1, 2004
  3. Randall Parker

    Pros and cons for using https on a logon page?

    Randall Parker, Dec 4, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    748
    nimd4
    May 17, 2014
  4. Annie
    Replies:
    0
    Views:
    441
    Annie
    Oct 30, 2006
  5. Maric Michaud

    threading and multicores, pros and cons

    Maric Michaud, Feb 14, 2007, in forum: Python
    Replies:
    24
    Views:
    1,144
    Paul Boddie
    Feb 20, 2007
Loading...

Share This Page