Hi
lol. it was the latter that I was more worried about. I'm more asking
from the point of view of a user other side of the world getting into
the asp files.
Hmm Where do you store the connection/password info ?
I store them in an include, outside the IIS website heirarchy. It's
not really *that* much safer, just that most of the hacks for
directory traversal or other means of viewing files on systems depend
on either a known folder structure (\\winnt\system32\etc...) or access
to the web folders. Placing connection string includes, as well as
databases, etc. outside the structure in a folder that isn't easily
guessable is just one more hurdle to get by.
I have 1 ASP-VBSCRIPT CLASS .asp file that handles my connection to
the DB and even all the code for getting recordsets back in different
formats (Recordset or array or none)
I have my connection string set up as follows in the global.asa:
Application("DBConnection") = "Provider=SQLOLEDB; Data Source=(local);
Initial Catalog=dbname; User ID=[***USER***]; Password=[***PASS***];
Persist Security Info=True"
I'm not fond of having connection strings in the global.asa, but part
of that stems from having to access different connections depending on
what's going on. There are arguments not to provide connection
information between sessions, instead creating and destroying
connections as needed, plus if you have pages that don't need a
connection, you're creating it for the user even if you never use it.
A lot of this depends on design considerations and has to do with
scalability issues, so each organization is affected differently.
and in my class I replace the user & password bits with the actual
name & password... hmm thinking about it I dont need to store the
above in the Application object (this was from my old system before I
wrote the class lol)
You don't, and it's probably not a smart programming move, though I
don't think it would affect security.
LOL, yea there is always that possibility
Security is a matter of tradeoffs. You often trade security for
usability, until you get a balance that works in your specific
instance. What you need for security might not be the same as the kid
in his high school lab creating a project that will be destroyed next
month, or the CIA creating a system to share intelligence with other
agencies.
Jeff