[.net] Removing connection strings from my projects
Author
As I was working on project to get the hang of ASP.NET and so on I just added all the connection strings (passwords and all) but now I am migrating over to a class library for my data access layer and I need to make sure I haven't left any sensitive data lying around.
I've deleted all the info in the web.config and app.config files as well as the setting.setting file project properties folder but does Visual Studio 2008 dump connection string data anywhere else I may have missed?
You can do a "find in files" to search for the connection strings in all files of your workspace.
That said, the default ASP.net providers usually only consider connection strings specified in web.config (as well as those inherited from machine.config). The .setting file is for your own stuff so you need to be aware what you put in there.
That said, the default ASP.net providers usually only consider connection strings specified in web.config (as well as those inherited from machine.config). The .setting file is for your own stuff so you need to be aware what you put in there.
Author
Quote:Original post by Nik02
You can do a "find in files" to search for the connection strings in all files of your workspace.
That said, the default ASP.net providers usually only consider connection strings specified in web.config (as well as those inherited from machine.config). The .setting file is for your own stuff so you need to be aware what you put in there.
Ah I see. Thanks for the info.
A small tip: If you are using SQL Server, it is a good practice to use Windows authentication (instead of SQL Server authentication) so you don't even accidentally specify user credentials in the config files. Server name, by itself, is usually useless to a hacker.
By default, both ASP.net and SQL Server have their own Windows accounts that you can tweak to grant or deny access to various things.
By default, both ASP.net and SQL Server have their own Windows accounts that you can tweak to grant or deny access to various things.
Author
Quote:Original post by Nik02
A small tip: If you are using SQL Server, it is a good practice to use Windows authentication (instead of SQL Server authentication) so you don't even accidentally specify user credentials in the config files. Server name, by itself, is usually useless to a hacker.
By default, both ASP.net and SQL Server have their own Windows accounts that you can tweak to grant or deny access to various things.
Hmm, I always assumed that would add a lot of complexity to the system. If you end up with multiple servers in your configuration wouldn't that necessitate the use of Active Directory?
AD is recommended anyway if your infrastructure is big enough to warrant multiple servers. It isn't very difficult to setup if you are careful (thus actually read and understand the docs before setting up your domain controller).
That said, neither SQL Server Windows authentication nor ASP.net require AD by themselves, unless you're running on a clustered farm. The credentials and rights are merely easier to administrate centrally instead of per-machine.
That said, neither SQL Server Windows authentication nor ASP.net require AD by themselves, unless you're running on a clustered farm. The credentials and rights are merely easier to administrate centrally instead of per-machine.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
