Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

best place to store connection string

Status
Not open for further replies.
alexjamesbrown

alexjamesbrown

Programmer
Mar 7, 2007
8
GB
Hi,
just a quick question...

I usually create a db.asp file, and include it on each page i need the db connection, but where do you think is the best place to store the db connection? anything a bit more secure?

global.asa?
 
Sort by date Sort by votes
I ususally put it into a server side includes file and put an asp extension on it.

That way you can see it from a view source on a webpage.

[monkey][snake] <.
 
Upvote 0 Downvote
Just so your only response isn't monksnake, I'll chip in my two cents by giving a radically different answer.

I usually put it into server side includes file and put an asp extension on it. :)

At some point you have to determine when a solution is "good enough". The end user does not see the code in the ASP file, only the HTMl that is generated. So as long as you don't Response.Write the connection string, put it in a javascript comment, etc. then you are safe enough keeping it in it's own include file.
Now, while it is possible that someone could either hack into your system and read the file or find an exploit for IIS that allows them to read the file, you really have bigger problems then them being able to log into your database at this point.

One additional piece of security if your using something like SQL Server (not Access): Setup a user specifically for the website connection, build everything as stored procedures, then lockdown that users access to only allow execution of the stored procedures. Now even if someone does manage to get access tot he include file they are left with the choice of guessing a new username/password or finding something else on the system to monkey with. My bet is that in this exceedingly unlikely case they probably will go find something else to mess with.
And it means that if you one day hire an outside developer to work on the site you aren't also giving them the keys to the database.

Sorry, just some long-winded thoughts :)

-T

Best MS KB Ever:
 
Upvote 0 Downvote
Tarwn, our answers are like night and day [smile].




me said:
That way you can see it from a view source on a webpage.
Click to expand...

That should be CAN'T see it, not can.

[monkey][snake] <.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

leifoet
  • Locked
  • Question
How to send HTML emails with ASP classic?
Replies
0
Views
273
leifoet
leifoet
penguinspeaks
  • Locked
  • Question
Return to current location on page after asp processes.
Replies
2
Views
225
penguinspeaks
penguinspeaks
Swi
  • Locked
  • Question
Best/Quickest Grid to display data
Replies
1
Views
189
Swi
Swi
leifoet
  • Locked
  • Question
How to check if a datatable is empty ?
Replies
0
Views
211
leifoet
leifoet
bslintx2021
  • Locked
  • Question
How to configure IIS 10 server to allow Classic ASP to connect to MSSQL server database on a domain
Replies
1
Views
546
penguinspeaks
penguinspeaks

Part and Inventory Search

Sponsor

Back
Top