database connection string...

[Jim]

I want to store a database connection (includes username & password) for my
asp.net app, currently I have it stored in the web.config file - I know this
is not ideal but can anyone suggest a better place or way to store it.

Cheers

Eath Worm Jim

 

[Shawn]

You could create a .dll and store it there. If you use a .dll you can also
encrypt your username and password. I don't think you can do that if you
put it in the Web.config file.. This is probably not the ideal way of
storing a connectionstring either, but it's the best I can come up with.
Hopefully someone else can show us a better way?

Shawn


"Jim" <ssss> wrote in message I want to store a database connection (includes username & password) for my
asp.net app, currently I have it stored in the web.config file - I know this
is not ideal but can anyone suggest a better place or way to store it.

Cheers

Eath Worm Jim

 

[Kevin Spencer]

Why is it not ideal?

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
http://www.takempis.com
Big Things are made up of
Lots of Little Things.

 

[Steve Jansen]

Jim,

The best practice for this is to use DPAPI.

Check out
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp

-Steve

 

[Rajesh.V]

..Net has a rich set of Cryptography class. Choose a symmetric algo like
triple des or md5 to keep encrypted conn string in the web.config and
decrypt upon usage. Also note if anyboxy decompiled the application dll
which employs this decryption, can see the password. So u will have to do
one more level like obfuscation of the dll.

 

[Jim]

If the web server is hacked and the root directory is exposed then the
hacker will have username and password to the database.

Is that not a scenario I should be concerned about?

Earth Worm Jim

 

[Kevin Spencer]

If the web server is hacked and the root directory is exposed then the

hacker will have username and password to the database.

Is that not a scenario I should be concerned about?

If you replace "web server" with any other server entity, you will see the
flaw in your logic. Examples:

If the database is hacked...
If the file system is hacked...
If the registry is hacked...

If anything containing data is hacked, of course, the data is compromised.
The trick is to protect your server from hackers.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
http://www.takempis.com
Big Things are made up of
Lots of Little Things.

 

[Jim]

I agree with what you are saying ......

BUT lets say a serious flaw is found in IIS (my prefered web server) and
this allows the hack access at the root of the website and they then gain
the username & password from the web.config, they can destroy\delete data in
the database,but where as if the connection string is protected by
encryption or another means and they can't decrypt the string they can not
gain access to the databse and therefore not destroy\delete data.

I suppose I am thinking of another level of misdirection for the hacker...

Cheers

Earth Worm Jim

 

[Alek Davis]

Also
http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx
may give you some ideas.

Alek