November 16, 2011 at 9:59 pm
I have a website in basic asp. I'm using SQL server database on Godaddy server. How can I hide the database password in my asp code? I have it in my global.asa file now in a session variable. there are hundreds of pages. Is there a better way to hide the password? thx. JR.
November 17, 2011 at 2:36 am
The best way would be using Windows authentication.
Is it an option in your case?
-- Gianluca Sartori
November 17, 2011 at 7:50 am
I agree that windows authentication would be ideal but what do you mean you have the password in global asa? Is it in your connection string? The number of pages don't matter because the connection is in global asa. By default IIS web servers will not server pages with that extension. You said you have it stored in global asa but you also said you have it in the session. DO NOT put your connection information in the session.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
November 17, 2011 at 11:29 am
HI guys, Thanks for the advice. I looked up Windows Authentication as I have not used it. I understand it only works with asp.net. I'm still using old plain asp. And yes, I have the entire database string and password in my global.asa file. In the global I put it in a session variable so I can access it on any page. I just figured there would be a safer way using plain ASP.
Do you know if there is some sort of Windows Authentication that might work with plain ASP? Or any other ideas?
thanks, do apprecaite your time.
JR
November 17, 2011 at 12:41 pm
psjrw (11/17/2011)
HI guys, Thanks for the advice. I looked up Windows Authentication as I have not used it. I understand it only works with asp.net. I'm still using old plain asp. And yes, I have the entire database string and password in my global.asa file. In the global I put it in a session variable so I can access it on any page. I just figured there would be a safer way using plain ASP.Do you know if there is some sort of Windows Authentication that might work with plain ASP? Or any other ideas?
thanks, do apprecaite your time.
JR
Are you putting your string in the session like Session("ConnectionString") = "string details"???
You do NOT want to do that. You want to set an Application variable in the Application_OnStart method of global.asa
like this:
Application("ConnectionString") = "Your Connection string here"
That is pretty much the best way for classic asp.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
November 17, 2011 at 1:02 pm
psjrw (11/17/2011)
HI guys, Thanks for the advice. I looked up Windows Authentication as I have not used it. I understand it only works with asp.net. I'm still using old plain asp.
Windows authentication works just fine with ADO as well as ADO.net.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
November 17, 2011 at 1:31 pm
Thanks for the advice. Its my first time on a forum. I read the Etiquette. B Better next time. I'll try the Application variable.
thanks,
November 17, 2011 at 1:32 pm
I'll check out the Windows Authentication. Thanks for your time.
November 17, 2011 at 1:36 pm
psjrw (11/17/2011)
Thanks for the advice. Its my first time on a forum. I read the Etiquette. B Better next time. I'll try the Application variable.thanks,
Not sure where you think you violated some sort of etiquette. You posted a question and several people discussed it. Nothing to worry about at all. 😀
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
November 17, 2011 at 1:37 pm
psjrw (11/17/2011)
I'll check out the Windows Authentication. Thanks for your time.
with GoDaddy being shared hsoting, you get SQL users only for access to your SQL instance.
you might consider storing the connection string in global.asa as an encrypted string, and then decrypting it in the asp page prior to use;
but as reported previously, only someone with ftp access(or what is it, front page extensions?) could get to the global.asa file and read it; the server will not render any requests for the page.
Lowell
November 19, 2011 at 1:00 am
Hi, and thanks for your idea about encrypting the Global.asa file. We think alike. Currently I left the global.asa the way it is as a decoy. But I just made a txt file and put the encrypted password in that. Then I open the txt file in the asp page and decrypt it.
Another question if you don't mind. If I put the decrypted password in a session("password") variable for the rest of the website to use, do you think a robot could catch it? My concern here is from lack of experience. Do you think a hacker can leave a robot on my website that can read the session("password") at any time and send it to him. If they can I would be better to never use a session("password") and decrypt on every page.
One more idea. What do you think about putting the encrypted password in a long URL string and decrypting it on each page?
thx.
JR.
November 21, 2011 at 7:16 am
psjrw (11/19/2011)
Hi, and thanks for your idea about encrypting the Global.asa file. We think alike. Currently I left the global.asa the way it is as a decoy. But I just made a txt file and put the encrypted password in that. Then I open the txt file in the asp page and decrypt it.Another question if you don't mind. If I put the decrypted password in a session("password") variable for the rest of the website to use, do you think a robot could catch it? My concern here is from lack of experience. Do you think a hacker can leave a robot on my website that can read the session("password") at any time and send it to him. If they can I would be better to never use a session("password") and decrypt on every page.
One more idea. What do you think about putting the encrypted password in a long URL string and decrypting it on each page?
thx.
JR.
Again do NOT put your password in the session. I would also think you don't need to pass your password via encrypted query string. Create a function that can decrypt your password and make it an include, then you just decrypt on each page load. Also, I would NOT use a .txt file. You should pick an extension that IIS will not serve. You could even make up an extension like .xxx and set IIS to not serve that file type.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
November 21, 2011 at 11:05 am
Thanks, I'll do what you say. Good advice.
November 21, 2011 at 11:30 am
What I've read is you REALLY like session variables, these can be read out at the client end easily, therefore NEVER (is that enough emphasis?) put anything in the session variables that could compromise security or give an attacker information that can be used to access your database(s) without your app.
The very best answer is NO passwords using windows (trusted) authentication. This depends a lot of the host settings, but if you can use it I would absolutely do that then there are no passwords to deal with or steal.
CEWII
Viewing 14 posts - 1 through 14 (of 14 total)
You must be logged in to reply to this topic. Login to reply