How do you get around the security issue of having your
connection string file as an include? Meaning, anyone
who views the source of your page can get the file name
and read the file contents of your connection string?
James
I've generally put mine in an application variable, set in global.asa
however, your assertion isn't correct. ASP code is not avilable in a
view->source, and neither are include statements, so this isn't an issue as
you've described it.
--
Jason Brown
Microsoft GTSC, IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
"James Johnson"
news:2f1c01c4b005$4c325ab0$a301280a@phx.gbl...
> How do you get around the security issue of having your
> connection string file as an include? Meaning, anyone
> who views the source of your page can get the file name
> and read the file contents of your connection string?
>
> James
>anyone who views the source of your page can get the
>file name and read the file contents of your connection
>string?
Viewing the source of a page will only display the html
that is sent back to to your browser by the web server
after it has parsed the asp page and done its thing with
the server-side code. All the server-side code, including
your connection string, isn't sent back to the browser.
> How do you get around the security issue of having your
> connection string file as an include? Meaning, anyone
> who views the source of your page can get the file name
> and read the file contents of your connection string?
Can you show an ASP file that reveals its connection string (regardless of
whether it comes from an include) in view source? Have you actually tried
to reproduce this problem, or are you just making an assumption about how
ASP works?
Now, if you use an .inc extension and tell people where your include file
is, then certainly they can get access to it by typing that URL directly.
--
http://www.aspfaq.com/
(Reverse address to reply.)
If you are concerned about someone viewing your source, then you have bigger
problems :)
The best way to protect SQL passwords is to have a "pass-through" component
that will connect to the database and do the exact same things you would
otherwise do with Connection/Command objects. You can then register the
component in COM+, let it impersonate a user and connect to the database via
a trusted connection.
Hope that helps.
--
Manohar Kamath
Editor, .netWire
www.dotnetwire.com
"James Johnson"
news:2f1c01c4b005$4c325ab0$a301280a@phx.gbl...
> How do you get around the security issue of having your
> connection string file as an include? Meaning, anyone
> who views the source of your page can get the file name
> and read the file contents of your connection string?
>
> James