Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hiding an oracle password in an ASP page

Status
Not open for further replies.
telemorgan

telemorgan

MIS
Oct 9, 2003
174
US
I am creating an ASP webpage that connects to an oracle database. I have the username and password imbedded into a connection string within the code on the page. Anyone that can run that page can simply "view source" and see the connection string. Does anyone have a way that I can hide or encrypt this username\password so that a user cannot view it?

Thanks in advance

 
Sort by date Sort by votes

I have the username and password imbedded into a connection string within the code on the page. Anyone that can run that page can simply "view source" and see the connection string.
Click to expand...

No they can't.

Anything in a .asp file and inside <% and %> will not be sent to the browser, so no amount of 'view-source' will get them to see what your server side code is.

It will be visible to anyone with access to the filesystem that the webserver reads the files from though - however this is usually developers/admins only, so is normally 'acceptable'. There are ways of securing further, such as using a DLL to store your DB connectivity logic (and the password etc). But it makes maintenance more difficult and complicates the solution.



A smile is worth a thousand kind words. So smile, it's easy! :)
 
Upvote 0 Downvote
Upvote 0 Downvote
etjohnson81,

Depending on your access to the server where your sight is, you can put an include file in a directory not on the website, then use a Server.Mappath("c:\notinwww\connstring.asp")
Click to expand...

I think you might want to clarify a few things in your post:
a) you would commonly use the <!--#include virtual.... declaration to 'include' an additional asp file.
b) you could use Server.Execute, or Execute and FSO to process the file using Mappath... but why go to the trouble (and create complexities / issues in the process) ?
c) what extra (real) security is this providing over a standard included asp file ? None, really.
d) most server set-ups (esp. IIS 6.0 by default) will disable parent paths, breaking server.mappath when accessing outside of the website root.
e) mappath translates from a website relative path (e.g. /) to an absolute path (e.g. C:\...) - so it wouldn't take an absolute path as a parameter.

Hope that helps to clarify things for you.



A smile is worth a thousand kind words. So smile, it's easy! :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinspeaks
  • Locked
  • Question
Return to current location on page after asp processes.
Replies
2
Views
467
penguinspeaks
penguinspeaks
penguinspeaks
  • Locked
  • Question
write HTML code within ASP line
Replies
1
Views
562
xwb
xwb
JScannell
  • Locked
  • Question
Border issue with Google Chrome on an Android phone
Replies
0
Views
422
JScannell
JScannell
leifoet
  • Locked
  • Question
How to send HTML emails with ASP classic?
Replies
0
Views
580
leifoet
leifoet
leifoet
  • Locked
  • Question
Code does not run in Microsoft Edge - it does in Google Chrome
Replies
3
Views
777
leifoet
leifoet

Part and Inventory Search

Sponsor

Back
Top