• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 608
  • Last Modified:

Encrypting a password used in a MySql Connection string

I have attached some C# code that is used in a .aspx file.  As you will see there is a MySql connection string with the password set as password.  Obviously that's not the real paasword, but I need to know if I need to encrypt that password as this page faces the public.  I would assume that if a user can get to the page from the public internet then they could harvest the username and password for the SQL database.

How do I avoid this? Do I encrypt the password in the .aspx file?  If so, how?  If not then what should I be doing?
<%@ Page Language="C#" AutoEventWireup="False" EnableSessionState="False" EnableViewState="False" %>

<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Data.Odbc" %>




<%@ Import Namespace="MySql.Data.MySqlClient" %>

<script runat="server">
     private const string ConnStr = "Server=localhost;Database=vcard;uid=root;pwd=password;";

     protected override void OnInit(EventArgs e)
     {
          base.OnInit(e);

          string strAttorneyEmail = Request["email"];

          MySqlDataReader MySQLReader;

          MySql.Data.MySqlClient.MySqlConnection conn;
          MySql.Data.MySqlClient.MySqlCommand cmd;

          conn = new MySql.Data.MySqlClient.MySqlConnection();

Open in new window

0
TPBPIT
Asked:
TPBPIT
  • 10
  • 8
  • 2
2 Solutions
 
MBoyCommented:
Use something simple like the following..


public static string xCrypt(string Text)
{

      string strTempChar = "";
      int i;
      for (i = 1; i <= Len(Text); i++) {
            if (Asc(Mid(Text, i, 1)) < 128) {
                  strTempChar = (string)Asc(Mid(Text, i, 1)) + 128;
            }
            else if (Asc(Mid(Text, i, 1)) > 128) {
                  strTempChar = (string)Asc(Mid(Text, i, 1)) - 128;
            }
            Mid(Text, i, 1) = Chr((int)strTempChar);
      }
      return Text;

}

0
 
TPBPITAuthor Commented:
I'm not having to pass the password into the current .aspx file.  Would the above code work and if so, how do I use it?
0
 
MBoyCommented:
Just add another file to be read every time you need to get your password.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
TPBPITAuthor Commented:
Lol.  Ok, I did stay at a Holiday Inn Express last night, but I'm not a developer especially not in C#.  Someone did the original work for me and disappeared.  Any detailed help or explaination you can give would help me greatly because the more complex it gets, the more I sucks a coding.
0
 
AsishRajCommented:
This is how you do it

Dim SqlConnection As New SqlConnection(WebConfigurationManager.ConnectionStrings("ConnectionString").ToString())

Webconfig - safest in the business
<add name="ConnectionString" connectionString="Provider=MySQLProv;Data Source=mydb;User Id=myUsername;Password=myPassword;/>
0
 
AsishRajCommented:
sorry small mistake in the above code

WebConfig
<connectionStrings>
<add name="BMREConnString" connectionString="Server=;Port=;Database=;Uid=;Pwd=;pooling=false;" providerName="MySql.Data.MySqlClient"  />
</connectionStrings>

myConnection = ConfigurationManager.ConnectionStrings["BMREConnString"].ConnectionString

0
 
TPBPITAuthor Commented:
Ok, so I add the part under the webconfig to the webconfig.  Do I add it anywhere in the webconfig?

Second, what is this clause and where do I use it? myConnection = ConfigurationManager.ConnectionStrings["BMREConnString"].ConnectionString
0
 
AsishRajCommented:
instead of this
private const string ConnStr = "Server=localhost;Database=vcard;uid=root;pwd=password;";

Use this
private const string ConnStr =ConfigurationManager.ConnectionStrings["BMREConnString"].ConnectionString


0
 
TPBPITAuthor Commented:
Asish,

I made the changes above, but I get the attached error.  What am I doing wrong?  Ovbiously it has something to do with the web.config and the connection string, but I'm at a loss.
web.config
web.config-error.JPG
0
 
TPBPITAuthor Commented:
Ok, minutes after posting the last message I found what I was doing wrong in the web.config file.  There was no opening for the connection string.

Now that I have fixed that, I'm getting the following error when the aspx page is trying to use the connection string.  See the attached image.  I have also attached the being of the code on the aspx page.
<%@ Page Language="C#" AutoEventWireup="False" EnableSessionState="False" EnableViewState="False" %>

<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Data.Odbc" %>




<%@ Import Namespace="MySql.Data.MySqlClient" %>

<script runat="server">
     private const string ConnStr =ConfigurationManager.ConnectionStrings["BMREConnString"].ConnectionString;


     protected override void OnInit(EventArgs e)
     {
          base.OnInit(e);

          string strAttorneyEmail = Request["email"];

Open in new window

aspx-error.JPG
0
 
AsishRajCommented:
Try this instead
private const string ConnSt = System.Configuration.ConfigurationManager.ConnectionStrings["BMREConnString"].ConnectionString;

In WebConfig
<add name="ConnectionString" connectionString="Server=myServerAddress;Database=myDataBase;Uid=myUsername;Pwd=myPassword;
providerName="MySql.Data.MySqlClient"/>



0
 
AsishRajCommented:
for more infor on Connection string you can have a look at below url

http://www.connectionstrings.com/mysql
0
 
TPBPITAuthor Commented:
I've tried several different connection string lines, but nothing works.  I keep getting an error that points to the connection string.
0
 
AsishRajCommented:
instead of

private const string ConnSt = ...

try this

private string ConnSt = ......
0
 
TPBPITAuthor Commented:
I already tried that with this being the results
next-error.JPG
0
 
AsishRajCommented:
Can you post the whole function and copy of webconfig
0
 
TPBPITAuthor Commented:
I put both of them in txt files.
vcardaspx.txt
webconfig.txt
0
 
TPBPITAuthor Commented:
Asish, did you have a chance to look at this?
0
 
AsishRajCommented:
sorry mate, i got busy, will give it a look probably 2day
0
 
TPBPITAuthor Commented:
AsishRaj, I found the problem and was able to fix it.  The variable name I was declaring was spelled differently than what I was using.  Apparently I deleted a letter.

Thanks for all your help.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 10
  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now