Web Development

General discussion


Store database connection settings

By MaryWeilage Editor ·
This week's .NET newsletter provides instructions on how to store database connection settings.

In the final paragraph, author Tony Patton says: "In the end, the ultimate decision is yours. You may choose to place the connection string directly within the application if security and maintenance is not an issue. The same is true with the use of a configuration or XML file and registry entries." Please let us know which method you prefer.

If you aren't subscribed to our free .NET newsletter, click the following link to automatically sign up:

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Encrypted string in the web.config?

by wouter In reply to Store database connection ...

Hi all,
The registry option isn't really the one for us, so we use the web.config. There is only a big risk, that when a hacker is on your box, the string can be read easily.
Is there maybe a secure and easy to deploy way to protect it?



Collapse -

web.config encryption

by dboysmith1 In reply to Encrypted string in the w ...
Collapse -

Prefer registry

by Goober Bob In reply to web.config encryption

I like the encryption, but I still prefer the registry since we often use the same connection across multiple applications.

Collapse -

CHANGE Connection String on fly

by sumithpdd In reply to Store database connection ...

Is there a way to change the connection string in the web.config file, from a form.

Collapse -

Use XML classes

by Goober Bob In reply to CHANGE Connection String ...

.NET makes it easy to work with XML documents, so it seems like a reasonable option. My only concern is whether the web.config file will be available (accessed) since IIS does not make it availalbe - by default. Anybody tried this?

Collapse -

We've utilized the registry option

by Goober Bob In reply to Store database connection ...

Storing the connection information in our Web Server's registry has worked well for us. It provides security and a central location for storing and maintaining the information. One thing we have been contemplating is encrypting the data stored in the registry, but we have not implemented it at this point.

Collapse -

Missing appSettings element

by aspatton Contributor In reply to Store database connection ...

The key element within the configuration XML should be contained in an appSettings element like the following:

<add key="dbconnection" value=" server=(local);Initial Catalog=Northwind;UID=tester;PWD=123456"/>


Collapse -

Separate DB path, user name, and password

by fortysomething In reply to Store database connection ...

I've recently started keeping path information, which is the part of the connection string most likely to change, separate from the user name and password information. Path info can be kept in web.config, and user name and password can be kept whereever needed to meet the security needs of your application.

Collapse -

What security?

by john_haefeli In reply to Store database connection ...

Let's face it.

If someone gains access to your server, there is nothing you can do about security. You can make it harder, but not foolproof.

The hardest way I can think of right now is to encrypt the entire system, including binaries and dated key itself, using full machine image checksum and machine id, and have it decrypted on the fly, which is currently beyond the ability of the OS; the original software would be on a different machine, executables of which would be copied to the executable machine, write permission one time only like reformat, with no reference to the source machine, all writable persistent data being accessed through separate security-dialoged encrypted database sessions.

Good luck!

Collapse -

layers of security

by spiv In reply to What security?

I think the comment about plain-text in the web.config has to do with layered security.

It is quite possible for an application level bug or hack to allow a user access to the file system yet they may not have full server access.

thus, if the connection string is not in the web.config, or is encrypted in the web.config, they will still not be able to penetrate the database.

Even with full server access, if the connection information is encrypted, the hacker will not be able to use the web server as a point of attach to jump onto the database server.

Related Discussions

Related Forums