SQL Server Performance Forum – Threads Archive
Web Development…I do a massive amount of web development in Active Server Pages, and I use a DSN-Less connection to connect to my databases. This requires that I hard-code my userid and password in my connection string. (I do this in an Include file) What do you guys use? I basically just want to hear some ideas and discuss your best approach. I haven’t gone to ASP.Net and I’m sure with ADO.Net it may change things…possibly? Thanks for any ideas and comments. [8D] ———-
MS, MCDBA, OCA, CIW
Not a lot of options, if you just plan to connect to your database directly from your asp pages. server side includes of a ‘constants’ file is very common, but if you are also using COM or java beans then it can and more commonly is stored in the registry. Using .Net adds a little more security since part of page is complied.
One problem associated with storing the credentials in pages, is that if you have multiple servers or sites which need to use the same code (albeit with different logins), it is very difficult to maintain a shared codebase. Like tkelley says the registry is an option. Personally I tend to drop the connection string into an environment variable and have ASP read this; it tends to be a little easier to work with than the registry.
We pretty much did the same as Chappy under ASP, put the connection string in the global.asa file Application_OnStart into an application variable and then use the application variable throughout for connecting to the database.
If you’re using asp to call COM objects that do the data access then it makes sense to store the connection string in the registry or a udl file and secure it. With ASP.NET things have become alot easier, you’ve got a web.config file for the application and can create your own application setting keys with values that you can retrieve from memory at any point in your application, it also reloads any changes to the web.config file (xml structured) dynamically . If you wanted to set a connection string for all applications on a box then you could set the machine.config as all web application settings ‘inherit’ from this. I would strongly urge any asp developers to switch to ASP.NET if at all possible, it really is a better model for programming web applications. Cheers
Shaun World Domination Through Superior Software
I know most people may not have this option, but I designed an encryption class that is used in our company, and I then put the database connection information in a text file with the password encrypted. I know that at the very least if you would like to use an ASCII text file, and you do not have any encryption mechanisms, put it in a very secure directory.
"How do you expect to beat me when I am forever?"
Yea encryption of the password or the entire string is good. If you work with COM+ you can put the connectionstring in the constructor string as well (Administrative Tools -> Component Services -> Your component -> Activation -> Enable object construction). As long as you put the connectionstring in a central location that you are comfortable with it really doesn’t matter. Be it global.asa, include file, registry, udl etc. You could also use Windows Authentication if you are in a pure Windows 2000 environment (or web/sql are on the same machine) and skip the password all together if it’s security you are worried about. /Argyle
I found some further stuff in regards to the environment variable that a couple of you guys mentioned. It maintains a connection to the database. I was reading on 4guysfromrolla.com and they recommended created the connection when needed then drop and close the connection on a page by page situation. Granted, this requires more code, huh? Well, hopefully we’ll be going to ASP.Net soon. Thanks for your comments and ideas, though! ———-
MS, MCDBA, OCA, CIW