How to protect a connection string in ASP.

Hello,

(With ASP)

I m looking for "the best" way to secure a connection string (OLE DB or
ODBC) for an Oracle database.
Actually, i m using an include file to open and close the connection with
informations write in clear text.
I would like to permit an acces to the application over internet. How to
secure this string ?

Is it a good idea to write the connection sting in the registry or not ?
Does it exist anothers ways ? And to secure acces i think to create an NT
autentification.? What do you thong about this ?

thanks a lot for your help

fabrice

Re: How to protect a connection string in ASP.

Stick it in a .asp file OUTSIDE of the site root (oh and password the DB =
itself)

--=20
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

"Fabrice" wrote in message =
news:OYlMHgTNFHA.2748@TK2MSFTNGP09.phx.gbl...
> Hello,
>=20
> (With ASP)
>=20
> I m looking for "the best" way to secure a connection string (OLE DB =
or=20
> ODBC) for an Oracle database.
> Actually, i m using an include file to open and close the connection =
with=20
> informations write in clear text.
> I would like to permit an acces to the application over internet. How =
to=20
> secure this string ?
>=20
> Is it a good idea to write the connection sting in the registry or not =
?=20
> Does it exist anothers ways ? And to secure acces i think to create an =
NT=20
> autentification.? What do you thong about this ?
>=20
> thanks a lot for your help
>=20
> fabrice
>=20
>=20

Re: How to protect a connection string in ASP.

Fabrice wrote:
> Hello,
>
> (With ASP)
>
> I m looking for "the best" way to secure a connection string (OLE DB
> or ODBC) for an Oracle database.
> Actually, i m using an include file to open and close the connection
> with informations write in clear text.
> I would like to permit an acces to the application over internet. How
> to secure this string ?

It is secure, as long as you do not allow the include file to be browsed.
The best way to prevent it from being browsed is to give it a .asp
extension. Alternatively, you can add the extension you use for the include
file into the ISAPI filters of your website.

Of course, if you are trying to protect it from people who have physical
access to your server, that's another story.

Bob Barrows

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Re: How to protect a connection string in ASP.

> Of course, if you are trying to protect it from people who have physical
> access to your server, that's another story.

Exactly. If this is the case, then even if you do hide the username and
password, they can still do anything to the database by creating their own
ASP page and emulating whatever process your existing pages use to connect
to the database.

--
Please post DDL, sample data and desired results.
See http://www.aspfaq.com/5006 for info.

Re: How to protect a connection string in ASP.

Thanks a lot
have a nice day.

Fabrice


"Fabrice" a écrit dans le message de news:
OYlMHgTNFHA.2748@TK2MSFTNGP09.phx.gbl...
> Hello,
>
> (With ASP)
>
> I m looking for "the best" way to secure a connection string (OLE DB or
> ODBC) for an Oracle database.
> Actually, i m using an include file to open and close the connection with
> informations write in clear text.
> I would like to permit an acces to the application over internet. How to
> secure this string ?
>
> Is it a good idea to write the connection sting in the registry or not ?
> Does it exist anothers ways ? And to secure acces i think to create an NT
> autentification.? What do you thong about this ?
>
> thanks a lot for your help
>
> fabrice
>
>

Re: How to protect a connection string in ASP.

So are saying that having something like

<%
Dim Conn

Set Conn = Server.CreateObject("ADODB.Connection")
Conn.Open "DRIVER=Microsoft Access Driver (*.mdb);DBQ=" &
Server.MapPath("/logo/db/XXX.mdb")
%> at the top of a page
isn't a good thing?? that all connections should be done from an include
page like connection.asp or something??
Jeff
"fabrice" wrote in message
news:etoqShfNFHA.1300@TK2MSFTNGP14.phx.gbl...
> Thanks a lot
> have a nice day.
>
> Fabrice
>
>
> "Fabrice" a écrit dans le message de news:
> OYlMHgTNFHA.2748@TK2MSFTNGP09.phx.gbl...
>> Hello,
>>
>> (With ASP)
>>
>> I m looking for "the best" way to secure a connection string (OLE DB or
>> ODBC) for an Oracle database.
>> Actually, i m using an include file to open and close the connection with
>> informations write in clear text.
>> I would like to permit an acces to the application over internet. How to
>> secure this string ?
>>
>> Is it a good idea to write the connection sting in the registry or not ?
>> Does it exist anothers ways ? And to secure acces i think to create an NT
>> autentification.? What do you thong about this ?
>>
>> thanks a lot for your help
>>
>> fabrice
>>
>>
>
>

Re: How to protect a connection string in ASP.

Jeff wrote:
> So are saying that having something like
>
> <%
> Dim Conn
>
> Set Conn = Server.CreateObject("ADODB.Connection")
> Conn.Open "DRIVER=Microsoft Access Driver (*.mdb);DBQ=" &
> Server.MapPath("/logo/db/XXX.mdb")
> %> at the top of a page
> isn't a good thing?? that all connections should be done from an
> include page like connection.asp or something??

I'm not sure what was said in this thread that gave you the idea that not
using an include file was not a "good thing".

It's not a "horrible" thing to do. However, think about what you would have
to do if you needed to change the location or name of the database. With an
include file, it's a single edit. Without it, it will involve editing all
the pages, unless you have a tool that allows you to do global
search-and-replace.

The "bad" thing about this connection string is that you are using the
obsolete ODBC driver instead of the Jet OLE DB provider:

Conn.open "provider=microsoft.jet.oledb.4.0;" & _
"data source=" & Server.MapPath("/logo/db/XXX.mdb")

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"