ASP.Net 2.0: Pros and cons of putting connection string in a DLL

J

J.S.

What are the pros and cons of putting the database connection information in
a DLL? Also, how does one do it? ;-)

Thanks,
J.S.

--
 
S

sreejith.ram

I guess a widely used approach is to use a appSetting key in Web.config

<appSettings>
<add key="DbConn_Str" value="Data Source=dsnamehere;User
ID=useridhere;Password=passwordhere;Initial Catalog=dbnamehere;" />
</appSettings>

Advantage is that u could change it any time without rebuilding the
application
 
J

J.S.

Yes, that's what I am currently using but I was thinking of using a DLL
instead. I have also tried using the encryption feature in ASP.Net 2.0 to
encrypt that part of the web.config file but haven't got it working yet.

--
 
K

Kevin Spencer

To put a Connection String (or any string) into a .Net DLL, create a
project, and add a class. Make the string a field or property of the class.

Worrying about people reading your web.config file is, however, not
profitable. If your security is set up properly, a hacker can no more access
the web.config file than they can access your system files. It is disallowed
by IIS.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Paranoia is just a state of mind.
 
J

J.S.

Kevin Spencer said:
To put a Connection String (or any string) into a .Net DLL, create a
project, and add a class. Make the string a field or property of the
class.

Thanks, Kevin!
Worrying about people reading your web.config file is, however, not
profitable. If your security is set up properly, a hacker can no more
access the web.config file than they can access your system files. It is
disallowed by IIS.

You are quite correct but I stumbled across the ASP.Net 2.0 feature to
encrypt the connection string in the .config file. That's how I started
thinking about this issue. However, that feature is a bit buggy in Beta 2
(I don't have the later CTPs) and the apsnet_regiis tool options weren't
very clear. Some of the folks offered other suggestions in a related thread
but I'll probably move on for now and try to figure out some of the other
things in ASP.Net 2.0. :)

Thanks,
J.S.
 
J

John Horst

I would encrypt the whole connection string if you are going to put it
in web.config. While Kevin is right about setting up security properly,
if your system is subject to any kind of regulatory auditing, that
explanation will not fly (more for political than technological
reasons).

I have worked in life sciences companies (pharmaceuticals/clinical labs)
and for financial management companies as well for the military and in
all of these environments, putting username/password info in cleartext
in web.config was an absolute no-no. Think a little about the
environment you are in and what kind of regulatory issues might apply
when considering this.

John
 
J

J.S.

John Horst said:
I would encrypt the whole connection string if you are going to put it
in web.config. While Kevin is right about setting up security properly,
if your system is subject to any kind of regulatory auditing, that
explanation will not fly (more for political than technological
reasons).

John, do you use the aspnet_regiis tool for encrypting the connection string
or do you prefer some other method?
I have worked in life sciences companies (pharmaceuticals/clinical labs)
and for financial management companies as well for the military and in
all of these environments, putting username/password info in cleartext
in web.config was an absolute no-no. Think a little about the
environment you are in and what kind of regulatory issues might apply
when considering this.

That's an excellent point... and one many should consider.

Thanks,
J.S.
 
G

Guest

I haven't made any .net dlls, but I used to put the connection string of asp
sites in a classic vb dll. That is, until I found a website saying that you
could open dlls with notepad and read half of what's in there - including
connection strings. I couldn't believe it at first, but I opened our db
connection dll in notepad, and sure enough I could read the connection string
as plain text. Needless to say my next project was encrypting it and adding
a decrypt to all the calls to connection string.

So if you try this with a .net dll, be sure and test it to see if you can
still read the dll in notepad. Encryption is pretty necessary if you're
worried about security.

Kevin Spencer said:
To put a Connection String (or any string) into a .Net DLL, create a
project, and add a class. Make the string a field or property of the class.

Worrying about people reading your web.config file is, however, not
profitable. If your security is set up properly, a hacker can no more access
the web.config file than they can access your system files. It is disallowed
by IIS.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Paranoia is just a state of mind.
 
J

J.S.

Did you use obfuscation for your DLL? I know they can be read quite easily
unless one uses obfuscation.

I'll probably just encrypt the connection string in the web.config for now.

Thanks,
J.S.
 
Joined
May 20, 2009
Messages
1
Reaction score
0
Some Thoughts

You might want to consider that config files may be easier to spoof than dll's.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,754
Messages
2,569,520
Members
44,996
Latest member
rainocode

Latest Threads

Top