Connection String in global.asa

Discussion in 'ASP General' started by fruddy, Mar 1, 2004.

  1. fruddy

    fruddy Guest

    Hi everybody,
    I currently have my SQL Server connection string in an
    Application variable in the global.asa.

    Could that be a security risk?

    I have heard that with Cold Fusion, when there is a page error.... the
    actual Connection String is written to the screen as part of the error
    page....

    I'm quite sure that would not occur in ASP but just wanted to be sure,
    and get a few expert opinions....

    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    fruddy, Mar 1, 2004
    #1
    1. Advertising

  2. > I have heard that with Cold Fusion, when there is a page error.... the
    > actual Connection String is written to the screen as part of the error
    > page....


    That sounds kind of weird to me...

    > I'm quite sure that would not occur in ASP but just wanted to be sure,
    > and get a few expert opinions....


    global.asa should be fine, as long as you're not running a very early and
    unpatched version of IIS 4.0.

    Keep in mind, though, that your ASP pages are only as secure as the server
    they're hosted on. No matter how deep you bury your connection string, it
    is accessible to anyone who can penetrate the file system. Even if you bury
    your connection string in a DLL, if your ASP pages can access it, then an
    intruder could write an ASP page that uses response.write to display it (or,
    if the connection string isn't a property, they could retrieve information
    from running commands directly against the database via the DLL).

    It's all about trade-offs...

    --
    Aaron Bertrand
    SQL Server MVP
    http://www.aspfaq.com/
     
    Aaron Bertrand [MVP], Mar 1, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Darlene Gauthier

    PostRequestHandlerExecute event in global.asa

    Darlene Gauthier, Jul 23, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    1,444
    Karl Seguin
    Jul 23, 2003
  2. Kevin Spencer

    Re: global.asa file (count sessions)

    Kevin Spencer, Jul 30, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    365
    Kevin Spencer
    Jul 30, 2003
  3. Wayne
    Replies:
    2
    Views:
    494
    Wayne
    Nov 11, 2003
  4. mvr

    connection info in Global.asa

    mvr, Nov 1, 2005, in forum: ASP General
    Replies:
    1
    Views:
    116
    Prabhat
    Nov 1, 2005
  5. Sylvain
    Replies:
    3
    Views:
    136
    Bob Barrows [MVP]
    Apr 26, 2006
Loading...

Share This Page