?
Solved

Encrypting a password used in a MySql Connection string

Posted on 2010-01-12
20
Medium Priority
?
605 Views
Last Modified: 2012-05-08
I have attached some C# code that is used in a .aspx file.  As you will see there is a MySql connection string with the password set as password.  Obviously that's not the real paasword, but I need to know if I need to encrypt that password as this page faces the public.  I would assume that if a user can get to the page from the public internet then they could harvest the username and password for the SQL database.

How do I avoid this? Do I encrypt the password in the .aspx file?  If so, how?  If not then what should I be doing?
<%@ Page Language="C#" AutoEventWireup="False" EnableSessionState="False" EnableViewState="False" %>

<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Data.Odbc" %>




<%@ Import Namespace="MySql.Data.MySqlClient" %>

<script runat="server">
     private const string ConnStr = "Server=localhost;Database=vcard;uid=root;pwd=password;";

     protected override void OnInit(EventArgs e)
     {
          base.OnInit(e);

          string strAttorneyEmail = Request["email"];

          MySqlDataReader MySQLReader;

          MySql.Data.MySqlClient.MySqlConnection conn;
          MySql.Data.MySqlClient.MySqlCommand cmd;

          conn = new MySql.Data.MySqlClient.MySqlConnection();

Open in new window

0
Comment
Question by:TPBPIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 8
  • 2
20 Comments
 
LVL 3

Expert Comment

by:MBoy
ID: 26298037
Use something simple like the following..


public static string xCrypt(string Text)
{

      string strTempChar = "";
      int i;
      for (i = 1; i <= Len(Text); i++) {
            if (Asc(Mid(Text, i, 1)) < 128) {
                  strTempChar = (string)Asc(Mid(Text, i, 1)) + 128;
            }
            else if (Asc(Mid(Text, i, 1)) > 128) {
                  strTempChar = (string)Asc(Mid(Text, i, 1)) - 128;
            }
            Mid(Text, i, 1) = Chr((int)strTempChar);
      }
      return Text;

}

0
 

Author Comment

by:TPBPIT
ID: 26298065
I'm not having to pass the password into the current .aspx file.  Would the above code work and if so, how do I use it?
0
 
LVL 3

Expert Comment

by:MBoy
ID: 26298131
Just add another file to be read every time you need to get your password.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:TPBPIT
ID: 26298152
Lol.  Ok, I did stay at a Holiday Inn Express last night, but I'm not a developer especially not in C#.  Someone did the original work for me and disappeared.  Any detailed help or explaination you can give would help me greatly because the more complex it gets, the more I sucks a coding.
0
 
LVL 9

Expert Comment

by:AsishRaj
ID: 26300056
This is how you do it

Dim SqlConnection As New SqlConnection(WebConfigurationManager.ConnectionStrings("ConnectionString").ToString())

Webconfig - safest in the business
<add name="ConnectionString" connectionString="Provider=MySQLProv;Data Source=mydb;User Id=myUsername;Password=myPassword;/>
0
 
LVL 9

Expert Comment

by:AsishRaj
ID: 26300094
sorry small mistake in the above code

WebConfig
<connectionStrings>
<add name="BMREConnString" connectionString="Server=;Port=;Database=;Uid=;Pwd=;pooling=false;" providerName="MySql.Data.MySqlClient"  />
</connectionStrings>

myConnection = ConfigurationManager.ConnectionStrings["BMREConnString"].ConnectionString

0
 

Author Comment

by:TPBPIT
ID: 26300113
Ok, so I add the part under the webconfig to the webconfig.  Do I add it anywhere in the webconfig?

Second, what is this clause and where do I use it? myConnection = ConfigurationManager.ConnectionStrings["BMREConnString"].ConnectionString
0
 
LVL 9

Expert Comment

by:AsishRaj
ID: 26300130
instead of this
private const string ConnStr = "Server=localhost;Database=vcard;uid=root;pwd=password;";

Use this
private const string ConnStr =ConfigurationManager.ConnectionStrings["BMREConnString"].ConnectionString


0
 

Author Comment

by:TPBPIT
ID: 26304390
Asish,

I made the changes above, but I get the attached error.  What am I doing wrong?  Ovbiously it has something to do with the web.config and the connection string, but I'm at a loss.
web.config
web.config-error.JPG
0
 

Author Comment

by:TPBPIT
ID: 26304478
Ok, minutes after posting the last message I found what I was doing wrong in the web.config file.  There was no opening for the connection string.

Now that I have fixed that, I'm getting the following error when the aspx page is trying to use the connection string.  See the attached image.  I have also attached the being of the code on the aspx page.
<%@ Page Language="C#" AutoEventWireup="False" EnableSessionState="False" EnableViewState="False" %>

<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Data.Odbc" %>




<%@ Import Namespace="MySql.Data.MySqlClient" %>

<script runat="server">
     private const string ConnStr =ConfigurationManager.ConnectionStrings["BMREConnString"].ConnectionString;


     protected override void OnInit(EventArgs e)
     {
          base.OnInit(e);

          string strAttorneyEmail = Request["email"];

Open in new window

aspx-error.JPG
0
 
LVL 9

Accepted Solution

by:
AsishRaj earned 2000 total points
ID: 26317573
Try this instead
private const string ConnSt = System.Configuration.ConfigurationManager.ConnectionStrings["BMREConnString"].ConnectionString;

In WebConfig
<add name="ConnectionString" connectionString="Server=myServerAddress;Database=myDataBase;Uid=myUsername;Pwd=myPassword;
providerName="MySql.Data.MySqlClient"/>



0
 
LVL 9

Expert Comment

by:AsishRaj
ID: 26317582
for more infor on Connection string you can have a look at below url

http://www.connectionstrings.com/mysql
0
 

Author Comment

by:TPBPIT
ID: 26318330
I've tried several different connection string lines, but nothing works.  I keep getting an error that points to the connection string.
0
 
LVL 9

Assisted Solution

by:AsishRaj
AsishRaj earned 2000 total points
ID: 26318452
instead of

private const string ConnSt = ...

try this

private string ConnSt = ......
0
 

Author Comment

by:TPBPIT
ID: 26318478
I already tried that with this being the results
next-error.JPG
0
 
LVL 9

Expert Comment

by:AsishRaj
ID: 26319757
Can you post the whole function and copy of webconfig
0
 

Author Comment

by:TPBPIT
ID: 26323227
I put both of them in txt files.
vcardaspx.txt
webconfig.txt
0
 

Author Comment

by:TPBPIT
ID: 26355544
Asish, did you have a chance to look at this?
0
 
LVL 9

Expert Comment

by:AsishRaj
ID: 26355586
sorry mate, i got busy, will give it a look probably 2day
0
 

Author Closing Comment

by:TPBPIT
ID: 31676371
AsishRaj, I found the problem and was able to fix it.  The variable name I was declaring was spelled differently than what I was using.  Apparently I deleted a letter.

Thanks for all your help.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In .NET 2.0, Microsoft introduced the Web Site.  This was the default way to create a web Project in Visual Studio 2005.  In Visual Studio 2008, the Web Application has been restored as the default web Project in Visual Studio/.NET 3.x The Web Si…
A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question