Connection String Best Practices [closed]

Answer 1

If you have full control over the server you can also store the connection string in your Machine.Config. This can be handy if you have lots of applications which all work with the same DB server.

I'm not sure if its worth encrypting it since you have to access to the server in the first place to view the machine.config. And if your server's been compromised the Encyrption won't stop a hacker from pulling the credentials from the config file.

Answer 2

You can encrypt and decrypt sections of your web.config by using the command line tool aspnet_regiis:

Encrypt: aspnet_regiis -pef "connectionStrings" "c:\folder\"

Decrypt: aspnet_regiis -pdf "connectionStrings" "c:\folder\"

Answer 3

@vartec: It's not quite a SNAFU..

IIS can indeed read encrypted text if you encrypt it using standard .NET encryption mechanism that won't break any UTF8 or Unicode encoding. Microsoft is also encouraging this as a best practice.

You can see a sample on encrypting connection string from this:

"How to: Secure Connection Strings When Using Data Source Controls"

http://msdn.microsoft.com/en-us/library/dx0f3cf2.aspx

Answer 4

you can encrypt your connection strings in your web.config file.

storing connection strings in a class as a property or a constant is not secure. anyone who uses a disassembler can see your connection string.

best way is the configuration encrypting.