.net 2.0 DataList security

Discussion in 'ASP .Net Security' started by John, Feb 22, 2006.

  1. John

    John Guest

    Being a classic .asp programmer I'm very fond of the idea of using the drag
    and drop DataList control that's in asp.net 2005. This sounds like it will
    totally save me a ton of work and time in not having to recreate the wheel
    as I find myself recoding the same basic data access controls/forms in
    classic .asp for all of my user requests. The data that we have is
    sensitive data and I've installed the Certificate Service on our IIS 5.0 web
    server which should be encrypting the whole communication from our web
    server to our database SQL Server 2000 server (which is on a different
    machine). In using this https/ssl method I've been storing the connection
    string in a connection string .asp file and have individual SQL logins for
    each user that accesses the data to our SQL Server database.

    I guess I'm not too clear on the back end things with this DataList control
    since there's no script file being created with all of the statements. Is
    using this DataList control secure in that SQL injection won't be possible?
    Is it ok to use this control where all of the hidden backend SQL commands is
    secure and that it won't be necessary in having to create and write
    parameterized stored procedures as the known good programming practice?
    Also, in continuation with my above paragraph I notice that in configuring
    the SQLDataSource for the DataList control it appears that there will always
    only be one so called "generic" login (whether it's Windows Authentication
    or SQL Authentication being chosen in the Configure Data Source) as the
    connection to our SQL Server in that we need to track all individual user
    activity to the database. I had created an automatic profiler trace stored
    procedure which has been extremely helpful for the past few years in doing
    the 'heavy lifting' of documenting all user activity and operation on the
    database. So is there a way to modify the connection setting to allow any
    individual with valid SQL login credentials to connect to our SQL Server?
    Will the current https/ssl set up that I have for my classic .asp
    applications be ok to implement the same way in creating asp.net 2005
    applications in that the connection string will be stored as a SQL
    authentication string in one of the asp.net 2005 project files since the
    whole communication layer is being encrypted?

    John, Feb 22, 2006
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gönen EREN

    Datalist in Datalist How?

    Gönen EREN, Aug 22, 2003, in forum: ASP .Net
    Gönen EREN
    Aug 22, 2003
  2. Nevyn Twyll
  3. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Dinis Cruz
    Oct 11, 2003
  4. Michael Randrup
    Henning Krause [MVP]
    Mar 27, 2006
  5. Kursat
    Dominick Baier
    May 7, 2007

Share This Page