Connection String in global.asa

[fruddy]

Hi everybody,
I currently have my SQL Server connection string in an
Application variable in the global.asa.

Could that be a security risk?

I have heard that with Cold Fusion, when there is a page error.... the
actual Connection String is written to the screen as part of the error
page....

I'm quite sure that would not occur in ASP but just wanted to be sure,
and get a few expert opinions....

 

[Aaron Bertrand [MVP]]

I have heard that with Cold Fusion, when there is a page error.... the

actual Connection String is written to the screen as part of the error
page....

That sounds kind of weird to me...

I'm quite sure that would not occur in ASP but just wanted to be sure,
and get a few expert opinions....

global.asa should be fine, as long as you're not running a very early and
unpatched version of IIS 4.0.

Keep in mind, though, that your ASP pages are only as secure as the server
they're hosted on. No matter how deep you bury your connection string, it
is accessible to anyone who can penetrate the file system. Even if you bury
your connection string in a DLL, if your ASP pages can access it, then an
intruder could write an ASP page that uses response.write to display it (or,
if the connection string isn't a property, they could retrieve information
from running commands directly against the database via the DLL).

It's all about trade-offs...