You don't have to use session or application variable then. Dave Woestenborghs ASP Developer Belgium "Tom B" wrote in message news:%23FlGWCeUDHA.2364@TK2MSFTNGP09.phx.gbl...[quote] > I think he was asking from a security perspective. > > I usually put my connection strings in global.asa as a Session variable. > Keeping it in one spot makes it a lot easier if you change databases. > > > "Ray at <%=sLocation%>" wrote in message > news:ODuqP5ZUDHA.1012@TK2MSFTNGP11.phx.gbl...[quote] > > No, you shouldn't use a DSN. You should use OLEDB connection strings[/quote][/quote] and[quote][quote] > > create your connection when you need it. You can store the connection > > string anywhere you'd like though. > > > > Get your OLE DB connection strings here:[/quote] > [url]http://www.connectionstrings.com/[/url][quote] > > > > Set oADO = Server.CreateObject("adodb.connection") > > oADO.Open YourOLEDBConnectionString > > > > Ray at home > > > > -- > > Will trade ASP help for SQL Server help > > > > > > "William Johnson" wrote in message > > news:04a701c3515d$7d12fa70$a101280a@phx.gbl...[quote] > > > I have different bits of advice about what is acceptable > > > practice. I found a KB article (Q169377) advising to put > > > the DSN string in the global.asa. Is this really ok and > > > why?[/quote] > > > >[/quote] > >[/quote] [allowsmilie] => 1 [showsignature] => 0 [ipaddress] => [iconid] => 0 [visible] => 1 [attach] => 0 [infraction] => 0 [reportthreadid] => 0 [isusenetpost] => 1 [msgid] => [ref] => <04a701c3515d$7d12fa70$a101280a@phx.gbl> <#FlGWCeUDHA.2364@TK2MSFTNGP09.phx.gbl> [htmlstate] => on_nl2br [postusername] => DaWoE [ip] => dawoe2000@yahoo [isdeleted] => 0 [usergroupid] => [membergroupids] => [displaygroupid] => [password] => [passworddate] => [email] => [styleid] => [parentemail] => [homepage] => [icq] => [aim] => [yahoo] => [msn] => [skype] => [showvbcode] => [showbirthday] => [usertitle] => [customtitle] => [joindate] => [daysprune] => [lastvisit] => [lastactivity] => [lastpost] => [lastpostid] => [posts] => [reputation] => [reputationlevelid] => [timezoneoffset] => [pmpopup] => [avatarid] => [avatarrevision] => [profilepicrevision] => [sigpicrevision] => [options] => [akvbghsfs_optionsfield] => [birthday] => [birthday_search] => [maxposts] => [startofweek] => [referrerid] => [languageid] => [emailstamp] => [threadedmode] => [autosubscribe] => [pmtotal] => [pmunread] => [salt] => [ipoints] => [infractions] => [warnings] => [infractiongroupids] => [infractiongroupid] => [adminoptions] => [profilevisits] => [friendcount] => [friendreqcount] => [vmunreadcount] => [vmmoderatedcount] => [socgroupinvitecount] => [socgroupreqcount] => [pcunreadcount] => [pcmoderatedcount] => [gmmoderatedcount] => [assetposthash] => [fbuserid] => [fbjoindate] => [fbname] => [logintype] => [fbaccesstoken] => [newrepcount] => [vbseo_likes_in] => [vbseo_likes_out] => [vbseo_likes_unread] => [temp] => [field1] => [field2] => [field3] => [field4] => [field5] => [subfolders] => [pmfolders] => [buddylist] => [ignorelist] => [signature] => [searchprefs] => [rank] => [icontitle] => [iconpath] => [avatarpath] => [hascustomavatar] => 0 [avatardateline] => [avwidth] => [avheight] => [edit_userid] => [edit_username] => [edit_dateline] => [edit_reason] => [hashistory] => [pagetext_html] => [hasimages] => [signatureparsed] => [sighasimages] => [sigpic] => [sigpicdateline] => [sigpicwidth] => [sigpicheight] => [postcount] => 3 [islastshown] => [isfirstshown] => [attachments] => [allattachments] => ) --> > >You don't have to use session or application variable[/quote] then.[quote] > >Dave Woestenborghs >ASP Developer >Belgium > >"Tom B" wrote in message >news:%23FlGWCeUDHA.2364@TK2MSFTNGP09.phx.gbl...[quote] >> I think he was asking from a security perspective. >> >> I usually put my connection strings in global.asa as a[/quote][/quote] Session variable.[quote][quote] >> Keeping it in one spot makes it a lot easier if you[/quote][/quote] change databases.[quote][quote] >> >> >> "Ray at <%=sLocation%>" [/quote][/quote] wrote in message[quote][quote] >> news:ODuqP5ZUDHA.1012@TK2MSFTNGP11.phx.gbl...[quote] >> > No, you shouldn't use a DSN. You should use OLEDB[/quote][/quote][/quote] connection strings[quote] >and[quote][quote] >> > create your connection when you need it. You can[/quote][/quote][/quote] store the connection[quote][quote][quote] >> > string anywhere you'd like though. >> > >> > Get your OLE DB connection strings here:[/quote] >> [url]http://www.connectionstrings.com/[/url][quote] >> > >> > Set oADO = Server.CreateObject("adodb.connection") >> > oADO.Open YourOLEDBConnectionString >> > >> > Ray at home >> > >> > -- >> > Will trade ASP help for SQL Server help >> > >> > >> > "William Johnson" wrote in message >> > news:04a701c3515d$7d12fa70$a101280a@phx.gbl... >> > > I have different bits of advice about what is[/quote][/quote][/quote] acceptable[quote][quote][quote] >> > > practice. I found a KB article (Q169377) advising[/quote][/quote][/quote] to put[quote][quote][quote] >> > > the DSN string in the global.asa. Is this really[/quote][/quote][/quote] ok and[quote][quote][quote] >> > > why? >> > >> >[/quote] >> >>[/quote] > > >. >[/quote] [allowsmilie] => 1 [showsignature] => 0 [ipaddress] => [iconid] => 0 [visible] => 1 [attach] => 0 [infraction] => 0 [reportthreadid] => 0 [isusenetpost] => 1 [msgid] => <09e501c352bb$9d5ee5f0$a601280a@phx.gbl> [ref] => <04a701c3515d$7d12fa70$a101280a@phx.gbl> <#FlGWCeUDHA.2364@TK2MSFTNGP09.phx.gbl> [htmlstate] => on_nl2br [postusername] => John Beschler [ip] => giles@geewhiz.c [isdeleted] => 0 [usergroupid] => [membergroupids] => [displaygroupid] => [password] => [passworddate] => [email] => [styleid] => [parentemail] => [homepage] => [icq] => [aim] => [yahoo] => [msn] => [skype] => [showvbcode] => [showbirthday] => [usertitle] => [customtitle] => [joindate] => [daysprune] => [lastvisit] => [lastactivity] => [lastpost] => [lastpostid] => [posts] => [reputation] => [reputationlevelid] => [timezoneoffset] => [pmpopup] => [avatarid] => [avatarrevision] => [profilepicrevision] => [sigpicrevision] => [options] => [akvbghsfs_optionsfield] => [birthday] => [birthday_search] => [maxposts] => [startofweek] => [referrerid] => [languageid] => [emailstamp] => [threadedmode] => [autosubscribe] => [pmtotal] => [pmunread] => [salt] => [ipoints] => [infractions] => [warnings] => [infractiongroupids] => [infractiongroupid] => [adminoptions] => [profilevisits] => [friendcount] => [friendreqcount] => [vmunreadcount] => [vmmoderatedcount] => [socgroupinvitecount] => [socgroupreqcount] => [pcunreadcount] => [pcmoderatedcount] => [gmmoderatedcount] => [assetposthash] => [fbuserid] => [fbjoindate] => [fbname] => [logintype] => [fbaccesstoken] => [newrepcount] => [vbseo_likes_in] => [vbseo_likes_out] => [vbseo_likes_unread] => [temp] => [field1] => [field2] => [field3] => [field4] => [field5] => [subfolders] => [pmfolders] => [buddylist] => [ignorelist] => [signature] => [searchprefs] => [rank] => [icontitle] => [iconpath] => [avatarpath] => [hascustomavatar] => 0 [avatardateline] => [avwidth] => [avheight] => [edit_userid] => [edit_username] => [edit_dateline] => [edit_reason] => [hashistory] => [pagetext_html] => [hasimages] => [signatureparsed] => [sighasimages] => [sigpic] => [sigpicdateline] => [sigpicwidth] => [sigpicheight] => [postcount] => 4 [islastshown] => [isfirstshown] => [attachments] => [allattachments] => ) --> Best Security Practices for ASP against SQL Server - ASP Database

Best Security Practices for ASP against SQL Server - ASP Database

No, you shouldn't use a DSN. You should use OLEDB connection strings and create your connection when you need it. You can store the connection string anywhere you'd like though. Get your OLE DB connection strings here: [url]http://www.connectionstrings.com/[/url] Set oADO = Server.CreateObject("adodb.connection") oADO.Open YourOLEDBConnectionString Ray at home -- Will trade ASP help for SQL Server help "William Johnson" <wbj4cdc.gov> wrote in message news:04a701c3515d$7d12fa70$a101280aphx.gbl... > I have different bits of advice about what is acceptable > practice. I found a KB article (Q169377) advising to put > the DSN string in the global.asa. Is this really ok and > why?...

  1. #1

    Default Re: Best Security Practices for ASP against SQL Server

    No, you shouldn't use a DSN. You should use OLEDB connection strings and
    create your connection when you need it. You can store the connection
    string anywhere you'd like though.

    Get your OLE DB connection strings here: [url]http://www.connectionstrings.com/[/url]

    Set oADO = Server.CreateObject("adodb.connection")
    oADO.Open YourOLEDBConnectionString

    Ray at home

    --
    Will trade ASP help for SQL Server help


    "William Johnson" <wbj4cdc.gov> wrote in message
    news:04a701c3515d$7d12fa70$a101280aphx.gbl...
    > I have different bits of advice about what is acceptable
    > practice. I found a KB article (Q169377) advising to put
    > the DSN string in the global.asa. Is this really ok and
    > why?

    Ray at Guest

  2. #2

    Default Re: Best Security Practices for ASP against SQL Server

    If you REALLY want the BEST security practice, you would
    use NT Integrated security for your authentication.

    However, this is not always feasible, especially for
    public websites.

    The problem with storing your connection string anywhere
    on the server, whether in the global.asa or anywhere else,
    is the uid and password are stored in clear text. This is
    a potential for compromise.

    We have created a VB dll and stored our connection strings
    there. Even this is not 100% secure, as it is technically
    possible to hack the dll and retrieve the uid and
    passwords, but it's more secure than storing them in a
    plain text file like global.asa. Our next step is to make
    the dll run in it's own security context and use NT
    integreted security for the dll. Then we won't even store
    the uid and password in the dll.

    >-----Original Message-----
    >I think he was asking from a security perspective.
    >
    >I usually put my connection strings in global.asa as a
    Session variable.
    >Keeping it in one spot makes it a lot easier if you
    change databases.
    >
    >
    >"Ray at <%=sLocation%>" <myfirstname at lane34 dot com>
    wrote in message
    >news:ODuqP5ZUDHA.1012TK2MSFTNGP11.phx.gbl...
    >> No, you shouldn't use a DSN. You should use OLEDB
    connection strings and
    >> create your connection when you need it. You can store
    the connection
    >> string anywhere you'd like though.
    >>
    >> Get your OLE DB connection strings here:
    >[url]http://www.connectionstrings.com/[/url]
    >>
    >> Set oADO = Server.CreateObject("adodb.connection")
    >> oADO.Open YourOLEDBConnectionString
    >>
    >> Ray at home
    >>
    >> --
    >> Will trade ASP help for SQL Server help
    >>
    >>
    >> "William Johnson" <wbj4cdc.gov> wrote in message
    >> news:04a701c3515d$7d12fa70$a101280aphx.gbl...
    >> > I have different bits of advice about what is
    acceptable
    >> > practice. I found a KB article (Q169377) advising to
    put
    >> > the DSN string in the global.asa. Is this really ok
    and
    >> > why?
    >>
    >>
    >
    >
    >.
    >
    John Beschler Guest

  3. #3

    Default Re: Best Security Practices for ASP against SQL Server

    We keep our connectionstring and other global variables in a include file :
    sitevariables.asp

    and then in our asp-page it's just this include
    <!--include file="ourincludefolder/sitevariables.asp" -->

    You don't have to use session or application variable then.

    Dave Woestenborghs
    ASP Developer
    Belgium

    "Tom B" <shucklehotmail.com> wrote in message
    news:%23FlGWCeUDHA.2364TK2MSFTNGP09.phx.gbl...
    > I think he was asking from a security perspective.
    >
    > I usually put my connection strings in global.asa as a Session variable.
    > Keeping it in one spot makes it a lot easier if you change databases.
    >
    >
    > "Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
    > news:ODuqP5ZUDHA.1012TK2MSFTNGP11.phx.gbl...
    > > No, you shouldn't use a DSN. You should use OLEDB connection strings
    and
    > > create your connection when you need it. You can store the connection
    > > string anywhere you'd like though.
    > >
    > > Get your OLE DB connection strings here:
    > [url]http://www.connectionstrings.com/[/url]
    > >
    > > Set oADO = Server.CreateObject("adodb.connection")
    > > oADO.Open YourOLEDBConnectionString
    > >
    > > Ray at home
    > >
    > > --
    > > Will trade ASP help for SQL Server help
    > >
    > >
    > > "William Johnson" <wbj4cdc.gov> wrote in message
    > > news:04a701c3515d$7d12fa70$a101280aphx.gbl...
    > > > I have different bits of advice about what is acceptable
    > > > practice. I found a KB article (Q169377) advising to put
    > > > the DSN string in the global.asa. Is this really ok and
    > > > why?
    > >
    > >
    >
    >

    DaWoE Guest

  4. #4

    Default Re: Best Security Practices for ASP against SQL Server

    That is a potential security risk if you store the
    password as part of the connection string. It is
    technically possible for IIS to return the contents of an
    ASP page to the browser under certain conditions. If you
    use an include file it should NOT have an ASP extension
    (or any extension that could be returned to the browser).
    MS recommends using the global.asa for that reason. If you
    want to store your site variables in the file as well, at
    least use a different exttension such as ".inc" The MS
    folks will correct me if I'm wrong, but I believe that IIS
    will not return the contents of a ".inc" file to the
    browser.


    >-----Original Message-----
    >We keep our connectionstring and other global variables
    in a include file :
    >sitevariables.asp
    >
    >and then in our asp-page it's just this include
    ><!--include file="ourincludefolder/sitevariables.asp" -->
    >
    >You don't have to use session or application variable
    then.
    >
    >Dave Woestenborghs
    >ASP Developer
    >Belgium
    >
    >"Tom B" <shucklehotmail.com> wrote in message
    >news:%23FlGWCeUDHA.2364TK2MSFTNGP09.phx.gbl...
    >> I think he was asking from a security perspective.
    >>
    >> I usually put my connection strings in global.asa as a
    Session variable.
    >> Keeping it in one spot makes it a lot easier if you
    change databases.
    >>
    >>
    >> "Ray at <%=sLocation%>" <myfirstname at lane34 dot com>
    wrote in message
    >> news:ODuqP5ZUDHA.1012TK2MSFTNGP11.phx.gbl...
    >> > No, you shouldn't use a DSN. You should use OLEDB
    connection strings
    >and
    >> > create your connection when you need it. You can
    store the connection
    >> > string anywhere you'd like though.
    >> >
    >> > Get your OLE DB connection strings here:
    >> [url]http://www.connectionstrings.com/[/url]
    >> >
    >> > Set oADO = Server.CreateObject("adodb.connection")
    >> > oADO.Open YourOLEDBConnectionString
    >> >
    >> > Ray at home
    >> >
    >> > --
    >> > Will trade ASP help for SQL Server help
    >> >
    >> >
    >> > "William Johnson" <wbj4cdc.gov> wrote in message
    >> > news:04a701c3515d$7d12fa70$a101280aphx.gbl...
    >> > > I have different bits of advice about what is
    acceptable
    >> > > practice. I found a KB article (Q169377) advising
    to put
    >> > > the DSN string in the global.asa. Is this really
    ok and
    >> > > why?
    >> >
    >> >
    >>
    >>
    >
    >
    >.
    >
    John Beschler Guest

  5. #5

    Default Re: Best Security Practices for ASP against SQL Server

    "Chris Hohmann" <hohmannATyahooDOTcom> wrote in message
    news:uoN8oztUDHA.1812TK2MSFTNGP11.phx.gbl...
    > As for securing the connection string, I've adopted the policy of
    using
    > a reference to a Data Link File as my connection string. i.e.:
    >
    > gConn = "FILE=C:\SomePathOutsideApplicationRoot\MyDatabase .udl"
    Sorry, that should be:

    gConn = "File Name=C:\SomePathOutsideApplicationRoot\MyDatabase. udl"


    Chris Hohmann Guest

Similar Threads

  1. Best practices for applying server updaters?
    By homli in forum Coldfusion Server Administration
    Replies: 3
    Last Post: January 13th, 09:00 AM
  2. Patterns And Practices Security Checklists
    By A.M in forum ASP.NET Security
    Replies: 2
    Last Post: February 18th, 02:56 AM
  3. MAC OS X vs 9: WEB SERVER SECURITY?
    By Adrian Penalo in forum Mac Networking
    Replies: 3
    Last Post: August 16th, 09:47 PM
  4. security practices
    By Carl Prothman [MVP] in forum ASP.NET Web Services
    Replies: 7
    Last Post: August 8th, 08:14 PM
  5. Security: ASP.Net + SQL Server DNZ
    By Tushar Karsan in forum ASP.NET Security
    Replies: 1
    Last Post: July 18th, 02:51 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •