|
 |
aspx thread: where to store connectionstring
Message #1 by "Gerhard Wentink" <gerhard@d...> on Fri, 14 Mar 2003 09:32:29
|
|
I was wondering where you girls and guys store the connectionstring in a
web application.
In a recent project I stored it as a public variable in the Global.asax
file.
It works allright, but I just wondered how other developers deal with this
issue.
Regards,
Gerhard Wentink
Message #2 by Sam Clohesy <samc@e...> on Fri, 14 Mar 2003 09:31:11 -0000
|
|
I use the web.config myself
Cheers
Sam
Sam Clohesy
Project Manager
T: 0208 772 3958
E: samc@e...
W: http://www.etypemedia.com
W: http://www.siteactive.net
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: 14 March 2003 09:32
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application.
In a recent project I stored it as a public variable in the Global.asax
file.
It works allright, but I just wondered how other developers deal with this
issue.
Regards,
Gerhard Wentink
Message #3 by "Palani, Sakthivel (Cognizant)" <PSakthiv@c...> on Fri, 14 Mar 2003 15:00:41 +0530
|
|
Add it under Appsettings in web.config
ex:
<appSettings>
<add key="ConnStrProlite" value="Provider=SQLOLEDB.1;Password=;Persist Security Info=True;User ID=prolite;Initial Catalog=;Data
Source=;Use Procedure for Prepare=1;Auto Translate=True;Packet Size=4096;Use Encryption for Data=False;Tag with column collation
when possible=False" />
</appSettings>
and access it from your page using system.configurationsettings
ex:
ProliteDBConn = System.Configuration.ConfigurationSettings.AppSettings("ConnStrProlite")
Regards,
Sakthi.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 3:02 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application.
In a recent project I stored it as a public variable in the Global.asax
file.
It works allright, but I just wondered how other developers deal with this
issue.
Regards,
Gerhard Wentink
Message #4 by "Naveen" <naveen@v...> on Fri, 14 Mar 2003 15:11:26 +0530
|
|
Hi,
1. Go to Web.Config file in the solution explore
2. add new tag in appsetting tag.
Key value can be of your choice
<configuration>
<appSettings>
<!-- User application and configured property settings go here.-->
<!-- Example: <add key="settingName" value="settingValue"/> -->
<add key="sqlConnectionString" value="Data Source=NAVEEN;user
id=naveen;password=naveen; initial catalog=Tracking" />
</appSettings>
</configuration>
3. refer the key value in the C#(vb.net) file as below.
string strConString
ConfigurationSettings.AppSettings["sqlConnectionString"];
SqlConnection con = new SqlConnection();
con.ConnectionString = strConString;
con.Open();
Regards,
Naveen Nayak
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 9:32 AM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application.
In a recent project I stored it as a public variable in the Global.asax
file.
It works allright, but I just wondered how other developers deal with this
issue.
Regards,
Gerhard Wentink
Message #5 by irfan.syed@g... on Fri, 14 Mar 2003 18:05:53 +0800
|
|
Well, I won't recommend storing connection string in web.config unless
it
is encrypted. If you don't encrypt it, the best way to go is to store it
in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application.
In a recent project I stored it as a public variable in the Global.asax
file.
It works allright, but I just wondered how other developers deal with
this
issue.
Regards,
Gerhard Wentink
Message #6 by "Gerhard Wentink" <gerhard@d...> on Fri, 14 Mar 2003 11:28:58 +0100
|
|
Storing it in the registry is not always an option, because most ISP's
won't allow that.
It seems to be impossible to read the web.config from "outerspace". Do
you happen to now how "hackable" it is?
Regards,
Gerhard Wentink
-----Oorspronkelijk bericht-----
Van: irfan.syed@g... [mailto:irfan.syed@g...]
Verzonden: vrijdag 14 maart 2003 11:06
Aan: ASP.NET
Onderwerp: [aspx] RE: where to store connectionstring
Well, I won't recommend storing connection string in web.config unless
it is encrypted. If you don't encrypt it, the best way to go is to store
it in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application.
In a recent project I stored it as a public variable in the Global.asax
file.
It works allright, but I just wondered how other developers deal with
this
issue.
Regards,
Gerhard Wentink
Message #7 by Carlos Magalhaes <CarlosM@t...> on Fri, 14 Mar 2003 12:32:23 +0200
|
|
Why do you say that?
Unless people have access to your Virtual Directory where you site is stored
then your web.config file is safe , NTFS file/folder permissions should be
sufficient to keep the web.config safe.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Friday, March 14, 2003 12:06 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, I won't recommend storing connection string in web.config unless it
is encrypted. If you don't encrypt it, the best way to go is to store it
in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application.
In a recent project I stored it as a public variable in the Global.asax
file.
It works allright, but I just wondered how other developers deal with this
issue.
Regards,
Gerhard Wentink
Message #8 by "Charles Heyneman" <cheyneman@i...> on Fri, 14 Mar 2003 15:18:05
|
|
Great Question! We are storing the string in a class library file that
then get referenced by any given project. Seems the only way this string
would be detected is if the library object gets decompiled. I'ld love to
hear others' opinions.
> Why do you say that?
Unless people have access to your Virtual Directory where you site is
stored
then your web.config file is safe , NTFS file/folder permissions should be
sufficient to keep the web.config safe.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Friday, March 14, 2003 12:06 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, I won't recommend storing connection string in web.config unless it
is encrypted. If you don't encrypt it, the best way to go is to store it
in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application.
In a recent project I stored it as a public variable in the Global.asax
file.
It works allright, but I just wondered how other developers deal with this
issue.
Regards,
Gerhard Wentink
Message #9 by "Palani, Sakthivel (Cognizant)" <PSakthiv@c...> on Sat, 15 Mar 2003 13:05:52 +0530
|
|
This is not flexible, if you want to change the connection string for 101 reasons you have to recompile
your component.
In terms of connection string security this might be the best approach.
Regards,
Sakthi.
-----Original Message-----
From: Charles Heyneman [mailto:cheyneman@i...]
Sent: Friday, March 14, 2003 8:48 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Great Question! We are storing the string in a class library file that
then get referenced by any given project. Seems the only way this string
would be detected is if the library object gets decompiled. I'ld love to
hear others' opinions.
> Why do you say that?
Unless people have access to your Virtual Directory where you site is
stored
then your web.config file is safe , NTFS file/folder permissions should be
sufficient to keep the web.config safe.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Friday, March 14, 2003 12:06 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, I won't recommend storing connection string in web.config unless it
is encrypted. If you don't encrypt it, the best way to go is to store it
in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application.
In a recent project I stored it as a public variable in the Global.asax
file.
It works allright, but I just wondered how other developers deal with this
issue.
Regards,
Gerhard Wentink
Message #10 by irfan.syed@g... on Mon, 17 Mar 2003 09:48:51 +0800
|
|
Well, it may not be "hackable" from "outer space" but as you noted, it
is
still a plain text file which can be read from anybody with
physical/file
system access to server. If you use external ISP to host your site, then
obviously you can not store in registry and web.config is the only
option.
-----Original Message-----
From: CarlosM@t... [mailto:CarlosM@t...]
Sent: Friday, March 14, 2003 6:32 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Why do you say that?
Unless people have access to your Virtual Directory where you site is
stored then your web.config file is safe , NTFS file/folder permissions
should be sufficient to keep the web.config safe.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Friday, March 14, 2003 12:06 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, I won't recommend storing connection string in web.config unless
it
is encrypted. If you don't encrypt it, the best way to go is to store it
in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application.
In a recent project I stored it as a public variable in the Global.asax
file.
It works allright, but I just wondered how other developers deal with
this
issue.
Regards,
Gerhard Wentink
Message #11 by "Colin MacKenzie" <colin@t...> on Sun, 16 Mar 2003 19:41:57 -0700
|
|
I've been watching this thread quite closely as I've been wondering what
other people have done about this issue.
From what I've used previously (a number of years writing "old":) asp code),
global.asa was the way to go. From my understanding of how .net works,
web.config seems to be the "new" global.asa... cool!:)
So, I have just one lil question on this last reply. If your .net stuff is
being hosted externally, couldn't you say, base64 encrypt what the
web.config file actually holds, then decrypt it in your page?? It might
take an extra cycle or two, but hey, it's on a remote host anyway:)... seems
to me, this would give you another layer of protection against prying
eyes...
Anyway, just a thought...
Cheers all
Colin MacKenzie
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Sunday, March 16, 2003 6:49 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, it may not be "hackable" from "outer space" but as you noted, it is
still a plain text file which can be read from anybody with physical/file
system access to server. If you use external ISP to host your site, then
obviously you can not store in registry and web.config is the only option.
-----Original Message-----
From: CarlosM@t... [mailto:CarlosM@t...]
Sent: Friday, March 14, 2003 6:32 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Why do you say that?
Unless people have access to your Virtual Directory where you site is
stored then your web.config file is safe , NTFS file/folder permissions
should be sufficient to keep the web.config safe.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Friday, March 14, 2003 12:06 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, I won't recommend storing connection string in web.config unless it
is encrypted. If you don't encrypt it, the best way to go is to store it
in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application.
In a recent project I stored it as a public variable in the Global.asax
file.
It works allright, but I just wondered how other developers deal with this
issue.
Regards,
Gerhard Wentink
Message #12 by irfan.syed@g... on Mon, 17 Mar 2003 11:05:06 +0800
|
|
Yes true Colin and that was my original suggestion. We do use web.config
to store connection strings but use TripleDES encryption to encrypt
entire strings and then store in web.config. If connection string to be
used very frequently, we save it into application variable using
Application_OnStart event of global.asax.
And by the way web.config is NOT new global.asa. There still us
global.asax which does stuff like Session_OnStart, On_End,
Application_OnStart, OnEnd and some new cool events like
Application_BeginRequest, Application_AuthenticateRequest and
Application_Error. Web.config can't do this stuff.
-----Original Message-----
From: Colin MacKenzie [mailto:colin@t...]
Sent: Monday, March 17, 2003 10:42 AM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
I've been watching this thread quite closely as I've been wondering what
other people have done about this issue.
From what I've used previously (a number of years writing "old":) asp
code), global.asa was the way to go. From my understanding of how .net
works, web.config seems to be the "new" global.asa... cool!:)
So, I have just one lil question on this last reply. If your .net stuff
is being hosted externally, couldn't you say, base64 encrypt what the
web.config file actually holds, then decrypt it in your page?? It might
take an extra cycle or two, but hey, it's on a remote host anyway:)...
seems to me, this would give you another layer of protection against
prying eyes...
Anyway, just a thought...
Cheers all
Colin MacKenzie
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Sunday, March 16, 2003 6:49 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, it may not be "hackable" from "outer space" but as you noted, it
is
still a plain text file which can be read from anybody with
physical/file
system access to server. If you use external ISP to host your site, then
obviously you can not store in registry and web.config is the only
option.
-----Original Message-----
From: CarlosM@t... [mailto:CarlosM@t...]
Sent: Friday, March 14, 2003 6:32 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Why do you say that?
Unless people have access to your Virtual Directory where you site is
stored then your web.config file is safe , NTFS file/folder permissions
should be sufficient to keep the web.config safe.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Friday, March 14, 2003 12:06 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, I won't recommend storing connection string in web.config unless
it
is encrypted. If you don't encrypt it, the best way to go is to store it
in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application. In a recent project I stored it as a public variable in
the Global.asax file. It works allright, but I just wondered how other
developers deal with this
issue.
Regards,
Gerhard Wentink
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
Message #13 by "Rohit Arora" <rohit_arora@i...> on Mon, 17 Mar 2003 09:38:16 +0530
|
|
Yeah for security .net provides MD5 and sha1 algo for encryption
(system.security.cryptography). Jes encrypt that connectionstring and place
it over there..make a global variable for ur application containing
decrypted connection string and use it anywhere.
Regards
Rohit Arora
Intersolutions (P) Ltd
B - 21, Sector 58,
Noida - 201301
Tel : 91-2585703/04/05 Extn: 229
"Desire means never Quit. It may be near when it seems far, so stick to the
fight when you are hardest hit.Its when things go wrong, that u must not
Quit."
-----Original Message-----
From: Colin MacKenzie [mailto:colin@t...]
Sent: Monday, March 17, 2003 8:12 AM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
I've been watching this thread quite closely as I've been wondering what
other people have done about this issue.
>From what I've used previously (a number of years writing "old":) asp
code),
global.asa was the way to go. From my understanding of how .net works,
web.config seems to be the "new" global.asa... cool!:)
So, I have just one lil question on this last reply. If your .net stuff is
being hosted externally, couldn't you say, base64 encrypt what the
web.config file actually holds, then decrypt it in your page?? It might
take an extra cycle or two, but hey, it's on a remote host anyway:)... seems
to me, this would give you another layer of protection against prying
eyes...
Anyway, just a thought...
Cheers all
Colin MacKenzie
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Sunday, March 16, 2003 6:49 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, it may not be "hackable" from "outer space" but as you noted, it is
still a plain text file which can be read from anybody with physical/file
system access to server. If you use external ISP to host your site, then
obviously you can not store in registry and web.config is the only option.
-----Original Message-----
From: CarlosM@t... [mailto:CarlosM@t...]
Sent: Friday, March 14, 2003 6:32 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Why do you say that?
Unless people have access to your Virtual Directory where you site is
stored then your web.config file is safe , NTFS file/folder permissions
should be sufficient to keep the web.config safe.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Friday, March 14, 2003 12:06 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, I won't recommend storing connection string in web.config unless it
is encrypted. If you don't encrypt it, the best way to go is to store it
in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application.
In a recent project I stored it as a public variable in the Global.asax
file.
It works allright, but I just wondered how other developers deal with this
issue.
Regards,
Gerhard Wentink
Message #14 by Carlos Magalhaes <CarlosM@t...> on Mon, 17 Mar 2003 08:41:22 +0200
|
|
If one is worried about people hacking the "plain text file" web.config
(XML file) then what you can do is store your connection string in your code
behind which is then compiled into a DLL in the BIN directory of your
project.
If someone is going to go threw the effort to decompile your .dll file to
get your connection string they will most likely go through the same effort
to crack your encryption on the file.
You are quite safe with the following options:
Connection string stored in:
1. Web.config file on the ISP
2. Compiled DLL in bin directory
3. Encrypt the file in some sort of encryption.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Monday, March 17, 2003 5:05 AM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Yes true Colin and that was my original suggestion. We do use web.config
to store connection strings but use TripleDES encryption to encrypt
entire strings and then store in web.config. If connection string to be
used very frequently, we save it into application variable using
Application_OnStart event of global.asax.
And by the way web.config is NOT new global.asa. There still us
global.asax which does stuff like Session_OnStart, On_End,
Application_OnStart, OnEnd and some new cool events like
Application_BeginRequest, Application_AuthenticateRequest and
Application_Error. Web.config can't do this stuff.
-----Original Message-----
From: Colin MacKenzie [mailto:colin@t...]
Sent: Monday, March 17, 2003 10:42 AM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
I've been watching this thread quite closely as I've been wondering what
other people have done about this issue.
From what I've used previously (a number of years writing "old":) asp
code), global.asa was the way to go. From my understanding of how .net
works, web.config seems to be the "new" global.asa... cool!:)
So, I have just one lil question on this last reply. If your .net stuff
is being hosted externally, couldn't you say, base64 encrypt what the
web.config file actually holds, then decrypt it in your page?? It might
take an extra cycle or two, but hey, it's on a remote host anyway:)...
seems to me, this would give you another layer of protection against
prying eyes...
Anyway, just a thought...
Cheers all
Colin MacKenzie
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Sunday, March 16, 2003 6:49 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, it may not be "hackable" from "outer space" but as you noted, it is
still a plain text file which can be read from anybody with physical/file
system access to server. If you use external ISP to host your site, then
obviously you can not store in registry and web.config is the only option.
-----Original Message-----
From: CarlosM@t... [mailto:CarlosM@t...]
Sent: Friday, March 14, 2003 6:32 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Why do you say that?
Unless people have access to your Virtual Directory where you site is
stored then your web.config file is safe , NTFS file/folder permissions
should be sufficient to keep the web.config safe.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Friday, March 14, 2003 12:06 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, I won't recommend storing connection string in web.config unless it
is encrypted. If you don't encrypt it, the best way to go is to store it
in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application. In a recent project I stored it as a public variable in
the Global.asax file. It works allright, but I just wondered how other
developers deal with this
issue.
Regards,
Gerhard Wentink
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
Message #15 by irfan.syed@g... on Mon, 17 Mar 2003 14:50:13 +0800
|
|
I won't go for DLL option as if you ever had to change password or
server
IP, you will need to call the programmers, change the connection string,
re-compile and upload again. And this kind of thing always runs into
version problems.
Irfan
-----Original Message-----
From: CarlosM@t... [mailto:CarlosM@t...]
Sent: Monday, March 17, 2003 2:41 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
If one is worried about people hacking the "plain text file" web.config
(XML file) then what you can do is store your connection string in your
code behind which is then compiled into a DLL in the BIN directory of
your
project.
If someone is going to go threw the effort to decompile your .dll file
to
get your connection string they will most likely go through the same
effort to crack your encryption on the file.
You are quite safe with the following options:
Connection string stored in:
1. Web.config file on the ISP
2. Compiled DLL in bin directory
3. Encrypt the file in some sort of encryption.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Monday, March 17, 2003 5:05 AM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Yes true Colin and that was my original suggestion. We do use web.config
to store connection strings but use TripleDES encryption to encrypt
entire strings and then store in web.config. If connection string to be
used very frequently, we save it into application variable using
Application_OnStart event of global.asax.
And by the way web.config is NOT new global.asa. There still us
global.asax which does stuff like Session_OnStart, On_End,
Application_OnStart, OnEnd and some new cool events like
Application_BeginRequest, Application_AuthenticateRequest and
Application_Error. Web.config can't do this stuff.
-----Original Message-----
From: Colin MacKenzie [mailto:colin@t...]
Sent: Monday, March 17, 2003 10:42 AM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
I've been watching this thread quite closely as I've been wondering what
other people have done about this issue.
From what I've used previously (a number of years writing "old":) asp
code), global.asa was the way to go. From my understanding of how .net
works, web.config seems to be the "new" global.asa... cool!:)
So, I have just one lil question on this last reply. If your .net stuff
is being hosted externally, couldn't you say, base64 encrypt what the
web.config file actually holds, then decrypt it in your page?? It might
take an extra cycle or two, but hey, it's on a remote host anyway:)...
seems to me, this would give you another layer of protection against
prying eyes...
Anyway, just a thought...
Cheers all
Colin MacKenzie
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Sunday, March 16, 2003 6:49 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, it may not be "hackable" from "outer space" but as you noted, it
is
still a plain text file which can be read from anybody with
physical/file
system access to server. If you use external ISP to host your site, then
obviously you can not store in registry and web.config is the only
option.
-----Original Message-----
From: CarlosM@t... [mailto:CarlosM@t...]
Sent: Friday, March 14, 2003 6:32 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Why do you say that?
Unless people have access to your Virtual Directory where you site is
stored then your web.config file is safe , NTFS file/folder permissions
should be sufficient to keep the web.config safe.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Friday, March 14, 2003 12:06 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, I won't recommend storing connection string in web.config unless
it
is encrypted. If you don't encrypt it, the best way to go is to store it
in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application. In a recent project I stored it as a public variable in
the Global.asax file. It works allright, but I just wondered how other
developers deal with this
issue.
Regards,
Gerhard Wentink
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
Message #16 by <kshatdalpriya@i...> on Mon, 17 Mar 2003 15:39:51 +0530
|
|
Why did not put in the connection string in the global.asa ....
With Regards
Kumar Shatdal Priya
software Engineer
Integrated Systems Management Inc.
SCO-10 , Sector -14
Gurgaon , Haryana
Phone: 91-6335864/65
Web: http://www.ismnet.com <http://www.ismnet.com>
"DIGITAL DOMINANCE"
-----Original Message-----
From: Carlos Magalhaes [mailto:CarlosM@t...]
Sent: Monday, March 17, 2003 12:11 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
If one is worried about people hacking the "plain text file" web.config
(XML file) then what you can do is store your connection string in your
code behind which is then compiled into a DLL in the BIN directory of
your project.
If someone is going to go threw the effort to decompile your .dll file
to get your connection string they will most likely go through the same
effort to crack your encryption on the file.
You are quite safe with the following options:
Connection string stored in:
1. Web.config file on the ISP
2. Compiled DLL in bin directory
3. Encrypt the file in some sort of encryption.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Monday, March 17, 2003 5:05 AM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Yes true Colin and that was my original suggestion. We do use web.config
to store connection strings but use TripleDES encryption to encrypt
entire strings and then store in web.config. If connection string to be
used very frequently, we save it into application variable using
Application_OnStart event of global.asax.
And by the way web.config is NOT new global.asa. There still us
global.asax which does stuff like Session_OnStart, On_End,
Application_OnStart, OnEnd and some new cool events like
Application_BeginRequest, Application_AuthenticateRequest and
Application_Error. Web.config can't do this stuff.
-----Original Message-----
From: Colin MacKenzie [mailto:colin@t...]
Sent: Monday, March 17, 2003 10:42 AM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
I've been watching this thread quite closely as I've been wondering what
other people have done about this issue.
From what I've used previously (a number of years writing "old":) asp
code), global.asa was the way to go. From my understanding of how .net
works, web.config seems to be the "new" global.asa... cool!:)
So, I have just one lil question on this last reply. If your .net stuff
is being hosted externally, couldn't you say, base64 encrypt what the
web.config file actually holds, then decrypt it in your page?? It might
take an extra cycle or two, but hey, it's on a remote host anyway:)...
seems to me, this would give you another layer of protection against
prying eyes...
Anyway, just a thought...
Cheers all
Colin MacKenzie
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Sunday, March 16, 2003 6:49 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, it may not be "hackable" from "outer space" but as you noted, it
is
still a plain text file which can be read from anybody with
physical/file
system access to server. If you use external ISP to host your site, then
obviously you can not store in registry and web.config is the only
option.
-----Original Message-----
From: CarlosM@t... [mailto:CarlosM@t...]
Sent: Friday, March 14, 2003 6:32 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Why do you say that?
Unless people have access to your Virtual Directory where you site is
stored then your web.config file is safe , NTFS file/folder permissions
should be sufficient to keep the web.config safe.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Friday, March 14, 2003 12:06 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, I won't recommend storing connection string in web.config unless
it
is encrypted. If you don't encrypt it, the best way to go is to store it
in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application. In a recent project I stored it as a public variable in
the Global.asax file. It works allright, but I just wondered how other
developers deal with this
issue.
Regards,
Gerhard Wentink
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
Message #17 by "Gerhard Wentink" <gerhard@d...> on Mon, 17 Mar 2003 21:24:46 +0100
|
|
Thanks to all for interesting contributions.
Regards,
Gerhard Wentink
-----Oorspronkelijk bericht-----
Van: irfan.syed@g... [mailto:irfan.syed@g...]
Verzonden: maandag 17 maart 2003 7:50
Aan: ASP.NET
Onderwerp: [aspx] RE: where to store connectionstring
I won't go for DLL option as if you ever had to change password or
server IP, you will need to call the programmers, change the connection
string, re-compile and upload again. And this kind of thing always runs
into version problems.
Irfan
-----Original Message-----
From: CarlosM@t... [mailto:CarlosM@t...]
Sent: Monday, March 17, 2003 2:41 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
If one is worried about people hacking the "plain text file" web.config
(XML file) then what you can do is store your connection string in your
code behind which is then compiled into a DLL in the BIN directory of
your project.
If someone is going to go threw the effort to decompile your .dll file
to get your connection string they will most likely go through the same
effort to crack your encryption on the file.
You are quite safe with the following options:
Connection string stored in:
1. Web.config file on the ISP
2. Compiled DLL in bin directory
3. Encrypt the file in some sort of encryption.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Monday, March 17, 2003 5:05 AM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Yes true Colin and that was my original suggestion. We do use web.config
to store connection strings but use TripleDES encryption to encrypt
entire strings and then store in web.config. If connection string to be
used very frequently, we save it into application variable using
Application_OnStart event of global.asax.
And by the way web.config is NOT new global.asa. There still us
global.asax which does stuff like Session_OnStart, On_End,
Application_OnStart, OnEnd and some new cool events like
Application_BeginRequest, Application_AuthenticateRequest and
Application_Error. Web.config can't do this stuff.
-----Original Message-----
From: Colin MacKenzie [mailto:colin@t...]
Sent: Monday, March 17, 2003 10:42 AM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
I've been watching this thread quite closely as I've been wondering what
other people have done about this issue.
From what I've used previously (a number of years writing "old":) asp
code), global.asa was the way to go. From my understanding of how .net
works, web.config seems to be the "new" global.asa... cool!:)
So, I have just one lil question on this last reply. If your .net stuff
is being hosted externally, couldn't you say, base64 encrypt what the
web.config file actually holds, then decrypt it in your page?? It might
take an extra cycle or two, but hey, it's on a remote host anyway:)...
seems to me, this would give you another layer of protection against
prying eyes...
Anyway, just a thought...
Cheers all
Colin MacKenzie
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Sunday, March 16, 2003 6:49 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, it may not be "hackable" from "outer space" but as you noted, it
is
still a plain text file which can be read from anybody with
physical/file
system access to server. If you use external ISP to host your site, then
obviously you can not store in registry and web.config is the only
option.
-----Original Message-----
From: CarlosM@t... [mailto:CarlosM@t...]
Sent: Friday, March 14, 2003 6:32 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Why do you say that?
Unless people have access to your Virtual Directory where you site is
stored then your web.config file is safe , NTFS file/folder permissions
should be sufficient to keep the web.config safe.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Friday, March 14, 2003 12:06 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, I won't recommend storing connection string in web.config unless
it
is encrypted. If you don't encrypt it, the best way to go is to store it
in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application. In a recent project I stored it as a public variable in
the Global.asax file. It works allright, but I just wondered how other
developers deal with this
issue.
Regards,
Gerhard Wentink
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
Message #18 by "Peter Lanoie" <planoie@n...> on Tue, 18 Mar 2003 09:26:57 -0500
|
|
One last thought for this topic.
Our organization has gone thru the "where to store connection strings"
indecision. We started with the Registry, then went to UDL files, then to
web.config upon adoption of .Net, now we are back to the Registry. In our
case, the Registry solution is easy because all our applications are on our
own machines. In the case of using an ISP, I see now reason why web.config
should be an issue. Many have suggested encrypting the file, the contents
or some variation of that for protection of connections. The way I see it
is: If the ISP is set up correctly and have all its clients/users isolated
correctly with security, there's little reason to believe someone may be
able to get to your connection strings because the files are not accessible.
Anyone who would be able to access the files apart from their owner would
more than likely also be able to access the data the user is connecting to
anyway (this is of course presuming that the ISP is hosting your data as
well). This is a fact of using an ISP. If you are doing something that is
so serious that you have to go to such great lengths to protect your data,
you probably aught to look into running your own servers.
Peter
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Monday, March 17, 2003 15:25
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Thanks to all for interesting contributions.
Regards,
Gerhard Wentink
-----Oorspronkelijk bericht-----
Van: irfan.syed@g... [mailto:irfan.syed@g...]
Verzonden: maandag 17 maart 2003 7:50
Aan: ASP.NET
Onderwerp: [aspx] RE: where to store connectionstring
I won't go for DLL option as if you ever had to change password or
server IP, you will need to call the programmers, change the connection
string, re-compile and upload again. And this kind of thing always runs
into version problems.
Irfan
-----Original Message-----
From: CarlosM@t... [mailto:CarlosM@t...]
Sent: Monday, March 17, 2003 2:41 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
If one is worried about people hacking the "plain text file" web.config
(XML file) then what you can do is store your connection string in your
code behind which is then compiled into a DLL in the BIN directory of
your project.
If someone is going to go threw the effort to decompile your .dll file
to get your connection string they will most likely go through the same
effort to crack your encryption on the file.
You are quite safe with the following options:
Connection string stored in:
1. Web.config file on the ISP
2. Compiled DLL in bin directory
3. Encrypt the file in some sort of encryption.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Monday, March 17, 2003 5:05 AM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Yes true Colin and that was my original suggestion. We do use web.config
to store connection strings but use TripleDES encryption to encrypt
entire strings and then store in web.config. If connection string to be
used very frequently, we save it into application variable using
Application_OnStart event of global.asax.
And by the way web.config is NOT new global.asa. There still us
global.asax which does stuff like Session_OnStart, On_End,
Application_OnStart, OnEnd and some new cool events like
Application_BeginRequest, Application_AuthenticateRequest and
Application_Error. Web.config can't do this stuff.
-----Original Message-----
From: Colin MacKenzie [mailto:colin@t...]
Sent: Monday, March 17, 2003 10:42 AM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
I've been watching this thread quite closely as I've been wondering what
other people have done about this issue.
From what I've used previously (a number of years writing "old":) asp
code), global.asa was the way to go. From my understanding of how .net
works, web.config seems to be the "new" global.asa... cool!:)
So, I have just one lil question on this last reply. If your .net stuff
is being hosted externally, couldn't you say, base64 encrypt what the
web.config file actually holds, then decrypt it in your page?? It might
take an extra cycle or two, but hey, it's on a remote host anyway:)...
seems to me, this would give you another layer of protection against
prying eyes...
Anyway, just a thought...
Cheers all
Colin MacKenzie
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Sunday, March 16, 2003 6:49 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, it may not be "hackable" from "outer space" but as you noted, it
is
still a plain text file which can be read from anybody with
physical/file
system access to server. If you use external ISP to host your site, then
obviously you can not store in registry and web.config is the only
option.
-----Original Message-----
From: CarlosM@t... [mailto:CarlosM@t...]
Sent: Friday, March 14, 2003 6:32 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Why do you say that?
Unless people have access to your Virtual Directory where you site is
stored then your web.config file is safe , NTFS file/folder permissions
should be sufficient to keep the web.config safe.
ADSI and DirectoryServices advice :
http://groups.yahoo.com/group/ADSIANDDirectoryServices
WMI programming advice : http://groups.yahoo.com/group/WMIPROGRAMMING
Carlos Magalhaes
-----Original Message-----
From: irfan.syed@g... [mailto:irfan.syed@g...]
Sent: Friday, March 14, 2003 12:06 PM
To: ASP.NET
Subject: [aspx] RE: where to store connectionstring
Well, I won't recommend storing connection string in web.config unless
it
is encrypted. If you don't encrypt it, the best way to go is to store it
in registry.
-----Original Message-----
From: Gerhard Wentink [mailto:gerhard@d...]
Sent: Friday, March 14, 2003 5:32 PM
To: ASP.NET
Subject: [aspx] where to store connectionstring
I was wondering where you girls and guys store the connectionstring in a
web application. In a recent project I stored it as a public variable in
the Global.asax file. It works allright, but I just wondered how other
developers deal with this
issue.
Regards,
Gerhard Wentink
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
---
Change your mail options at http://p2p.wrox.com/manager.asp or to
unsubscribe send a blank email to
|
|
|
View Cart
