how to hide the connection string information 2

[kathyk]

What has anyone used to hide the connection string information that appears in the client side code (with user id and password)? Microsoft suggested using a "Handler" but our SQL code is to complex to include within the Handler. They are now recommending using an asp page with xml data connection information (referenced on the object tag). We are trying that now.

Any other suggestions?

Thanks in advance for any comments,

kathyk

 

[wushutwist]

I don't understand, the Connection String information should only show on the ASP source not in the client-side output. Even better, all connections should be running through COM objects and the ASP shouldn't be concerned with the gory details. Wushutwist

 

[shaddow]

Try to store the connection string in your global.asa file and use them whend u wish... ________

George

 

[kathyk]

Wushutwist and shaddow,
Thanks for such a quick response. I referred your responses to my programmer for comments. She replied:

"Number one (Wushutwist) is refering to only having strings in server side code (not possible with rds except maybe with this xml perist stuff).
I am not trying to do com objects where they run on server - a whole new area I haven't tried yet.

Number two (Shaddow) is interesting.... I will look at that."

kathyk
p.s. what com objects are you referring to?

 

[wushutwist]

Sorry, since this is an ASP forum I assumed it was a server-side question. Secondly the global.asa file is only accessible to server-side code, unless you are running an unpatched version of IIS. In which case the entire world can see your global.asa content .
Wushutwist

 

[balves]

If you use the ADO Connection object and connect to the db that way, the connection information will not be shown to the client browser. Or you could write your own COM object to connect to the database, and call that from an ASP page.

What is rds? Brian J. Alves
Email: brian.alves@worldnet.att.net
VB / ASP / Crystal / SQLServer

 

[kathyk]

balves: According to my SQL Server Magazine: "Remote Data Services (RDS) is a collection of COM objects (Data Factory, DataControl and Data Space) that lets you add HTTP capabilities to ADO."

whshutwist: yes, she remember something about not using the gobal.asa. Maybe that was it.
Looks like we will be looking a COM objects as everyone has suggested.
Project is going to be delayed anyway so we might as well consider all of our options.

thanks again,
kathyk

 

[bassguy]

I might throw in another suggestion if it is not too late....My experiance has been that if you are using a SQL server then easiest way to secure it is to put stored procedures on the server that do all of your database operations (i mean even select * from type queries). Then invoke the stored procedure and pass the parms to it. with statements like:


set rs=server.createobject(adodb.recordset)
ssql="execute storedprocedurename @param1="&request("param1&quot


Now that you are calling a specific stored proc make sure and only allow the stored procedure access from your web app.

The next thing is to set up a UDL--Uniform Data Locator to store the connection string and password. It is kinda tricky as there is no wizard to call for a UDL.

First name a blank text file with the extension .udl
Close it then double click it to bring up the UDL Editor
fill in all of the data and make your connection. Store the UDL secure directory somewhere other than your web. Set this directory to share with your web server.

Then.....whew you still with me?......make an application variable in your Global.asa that points to the UDL address...


then you can Open your recordset with a command like this:



rs.open ssql,application("udlname&quot


This should work depending on your network and its authentication settings etc.


so to recap

1. Make a stored procedure that does the calulations
2. Give execute rights to the stored procedure and deny rights to everything else.
3. Make a UDL that uses the Authentication set in the SQL server
4. Store the UDL in a private directory that shares with your web server.
5. Make an application variable that points to the UDL
6. Call the SQL server by calling the Application variable

 

[AgentM]

Did you get the ASP page to work to hide your connection string.If you did can you help me?

 

[shaddow]

If u let the global.asa file withowt setting the security acess only just for this file this could happend but if u don not want to use this file put the entire code in a file on another hdd or partition set the security and then include it in your asp file. The code is inserted at execution and then will not be so visible...


<%@ Language=VBScript %>
<!--#include file=&quot;c:\My Connections\db_Connection.asp&quot;-->

and wushutwist u are right but this one solution and if u use IIS withowt patching it's your problem... if they could breach in your IIS they could get your component u don't think?

________

George

 

[kathyk]

AgentM, We did hide the connection string using a &quot;Handler&quot; - suggestion from Microsoft.
My programmer provides the following explanation:
This is the idea:
If a user does a show source the information they see is just what is on the param tags. They never see the info in the dfmap file used by
the handler.

It took us a quite a few tries with microsofts help in getting this working. It appears that any corruption on the dfmap file can cause this not to work. So, the file should be created in notepad on the server. This is ok for intranet but not sure about security for internet. The handler, is I believe in an unreg state. We tried it first in a registered state or on state... but under the later mdac releases it is not necessary to have it on and I believe this makes it more secure.

here is the RDS OBJECT:

<object CLASS=&quot;RDS&quot; classid=&quot;CLSID:BD96C556-65A3-11D0-983A-00C04FC29E33&quot; height=&quot;1&quot; id=&quot;RDS&quot; width=&quot;1&quot;>
<PARAM NAME=&quot;Server&quot; VALUE=&quot;

http://yourwebserver&quot;>

<PARAM NAME=&quot;Connect&quot; VALUE=&quot;Data source=CONNECTTOMATCH&quot;>
<PARAM NAME=&quot;Handler&quot; VALUE=&quot;MSDFMAP.Handler,dfmap.ini&quot;>
<PARAM NAME=&quot;SQL&quot; VALUE=&quot;Authors&quot;>

This is the object tag for an RDS object. The server is your webserver parameter, the handler parameter takes the driver?, and the dfmap.ini file
(and i do believe it needs to be named that). the dfmap.ini file is in the winnt directory. It contains a reference to a system ODBC DSN,
the userid and password and looks like the following

Here is the dfmap.ini file:

[connect CONNECTTOMATCH]
Access=ReadWrite
Connect=&quot;DSN=YOURSYSEMDSN;UID=xxxxxxx;PASSWORD=xxxxxxx;&quot;

[sql authors]
;If we want to disable unknown SQL values, we set Sql to an invalid query.
Sql=&quot;select * from authors

Notice the datasource in the param, must match the [connect ..........]. It doesn't matter what you call it but they must match.

The only security risk is you still have the password in a text based file but that file is on the webserver winnt directory- which
should be secured from the rest of the world. The password is never passed

Good luck.....