Connect string in the web.config file

[bigfoot]

I'm running SQL Server 2K and IIs on a Win2000 server.

Is there anything wrong with putting my connection strings in my web.config file? I'm asking this because it sits out in a folder off the

http://www_root.

Can't this be downloaded by a hacker and used against me?

I'd like to use windows security, but it is not working right. I'd like to not have to have my users log in, but only if they are coming in from out side the building.

 

[Zarcom]

I put my connection strings into web.config. Just make sure that your server will not serve a .config file. In this way a hacker can't even see that you have a config file.

That'l do donkey, that'l do
Mark
If you are unsure of forum etiquette check here faq796-2540

 

[bigfoot]

Enlighten me on how to check this please.

 

[JamesLean]

By default, ASP.NET will NOT serve .config files. You can check this by browsing to:

[URL unfurl="true"]http://myserver/myapp/web.config[/URL]

You should get an error page saying it doesn't serve these pages.

--James

 

[bigfoot]

How about an XML file that I will be using to fill a dropdown for the 52 states?

Can I put this in a pertected folder?

 

[bigfoot]

I put it in the _private folder and it works great.

I ove this XML stuff!!! It's great for a small - low overhead database file.