Sign in to follow this  
Cromulent

[.net] Removing connection strings from my projects

Recommended Posts

As I was working on project to get the hang of ASP.NET and so on I just added all the connection strings (passwords and all) but now I am migrating over to a class library for my data access layer and I need to make sure I haven't left any sensitive data lying around. I've deleted all the info in the web.config and app.config files as well as the setting.setting file project properties folder but does Visual Studio 2008 dump connection string data anywhere else I may have missed?

Share this post


Link to post
Share on other sites
You can do a "find in files" to search for the connection strings in all files of your workspace.

That said, the default ASP.net providers usually only consider connection strings specified in web.config (as well as those inherited from machine.config). The .setting file is for your own stuff so you need to be aware what you put in there.

Share this post


Link to post
Share on other sites
Quote:
Original post by Nik02
You can do a "find in files" to search for the connection strings in all files of your workspace.

That said, the default ASP.net providers usually only consider connection strings specified in web.config (as well as those inherited from machine.config). The .setting file is for your own stuff so you need to be aware what you put in there.


Ah I see. Thanks for the info.

Share this post


Link to post
Share on other sites
A small tip: If you are using SQL Server, it is a good practice to use Windows authentication (instead of SQL Server authentication) so you don't even accidentally specify user credentials in the config files. Server name, by itself, is usually useless to a hacker.

By default, both ASP.net and SQL Server have their own Windows accounts that you can tweak to grant or deny access to various things.

Share this post


Link to post
Share on other sites
Quote:
Original post by Nik02
A small tip: If you are using SQL Server, it is a good practice to use Windows authentication (instead of SQL Server authentication) so you don't even accidentally specify user credentials in the config files. Server name, by itself, is usually useless to a hacker.

By default, both ASP.net and SQL Server have their own Windows accounts that you can tweak to grant or deny access to various things.


Hmm, I always assumed that would add a lot of complexity to the system. If you end up with multiple servers in your configuration wouldn't that necessitate the use of Active Directory?

Share this post


Link to post
Share on other sites
AD is recommended anyway if your infrastructure is big enough to warrant multiple servers. It isn't very difficult to setup if you are careful (thus actually read and understand the docs before setting up your domain controller).

That said, neither SQL Server Windows authentication nor ASP.net require AD by themselves, unless you're running on a clustered farm. The credentials and rights are merely easier to administrate centrally instead of per-machine.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this