Link to home
Start Free TrialLog in
Avatar of smv939
smv939

asked on

Encrypt SQL server connection string in ASP

Hi All,
  I have an ASP page which opens the Database and following is the Connection string.
How do I encrypt this string. i want to put this in an .INC file and include in all other asp pages calling the connection string.

strcon="Driver=SQL Server;Server=test;UID=uid;PWD=pwd;Database=test;DSN=\\test\C$\test.dsn"
   

SMV

Avatar of hielo
hielo
Flag of Wallis and Futuna image

First of all, for security reasons, that .inc file is better off being renamed .asp. Refer to the following discussion here:
https://www.experts-exchange.com/questions/23217940/Idiots-guide-to-ASP-dataconn-inc-hacks-problems.html

AS far as the encryption goes, I'm not sure you can "instruct" the db driver how to decrypt the string (once you provide it an encrypted string) so that it can then authenticate with the db. From what I have seen, the username and password are passed unencrypted.
Avatar of larkydoo
larkydoo

Another helpful discussion can be found at https://www.experts-exchange.com/questions/20083927/ASP-and-database-connection-string-security-encryption.html.  

If at all possible, I'd recommending using an ODBC connection on the server.  You'd need to have access to the server, or talk with someone who does, in order ot use this.  
Avatar of smv939

ASKER

I will use .asp file instead of .INC.My SQL server got hacked 2 times. I think they are reading the database user name & password from .asp page. Using SSL is not an option now in my company. I want to encrypt the connection string.
 
>> I want to encrypt the connection string.
But you are still missing the point, YOU can come up with your own encryption algorithm, BUT the database will not know how to decrypt your connection string.

>>My SQL server got hacked 2 times.
If you read my discussion on the link I provided, it should be obvious how easy that would be. You need to NOT GIVE YOUR CONNECTION STRING TO THE PUBLIC. That's the problem with using ".inc" as your connection include file.
Avatar of smv939

ASKER

I did not use the .INC so far. The connection string was in ASP page when it was hacked.
I thought .INC is more secure that ASp page, that is why I thought of using it.
>>The connection string was in ASP page when it was hacked.
Well, if your connection script was in an ASP page (within the <% and %> tags, the server will not "implicitly" give that info to the user; you would have to sent it explicitly via some form of response.write, which I doubt you did. So, the other possibility if that your SERVER got hacked. Meaning, if you ftp files back and forth over an unencrypted session, if your username/password get hijacked, then the hacker will have the freedom to log onto your system "legally" at any time and have complete access to your files. Meaning he/she could open the db file that has the connection string saved. I suggest you change your password and use a secure ftp client.
Avatar of smv939

ASKER

I am not using ftp. Seems like SQl injection I faced. So what are steps which we need to take to prevent the sql injection.
ASKER CERTIFIED SOLUTION
Avatar of hielo
hielo
Flag of Wallis and Futuna image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial