• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 754
  • Last Modified:

DB Password in ASP

I have a simple aspx page located under /inetpub/wwwroot that contains a db username and password to a MSSQL database.  My question is, is the password safe from someone browsing my site?  After the file loaded in my browser, I did not see it under View Code, but I am wondering if there is another trick that I am not aware of.

Here is the code:

<%...
ConnString="DRIVER={SQL Server};SERVER=myservername;UID=myusername;" & _ 
"PWD=mypassword;DATABASE=mytablename"
...%>

Open in new window

0
jekautz
Asked:
jekautz
1 Solution
 
kevinhiggCommented:
Good evening!  Some variant of this scenario is how many / most classic ASP sites maintained connection string details.  As long as your credentials are not sent to the output buffer (using Response.Write or the like), or stored in a file that is not processed by the ASP runtime, this should be safely interpreted server side and never rendered for the client.  Here's a SO link that mentions this:

http://stackoverflow.com/questions/2339450/where-to-store-connection-string-for-classic-asp
0
 
Alan WarrenCommented:
Hi jekautz,

No, absolutely not, nothing on the Internet is secure.
Your web.config is as secure as your login credentials with your host provider, or your ftp login credentials, which your site most likely publishes as an 'A' record in it's DNS.

The military gave us 128 bit encryption with Win 95, because it is worthless to them, they can crack it in an instant.

In regard to the average user, your web.config is secure, but to the powers that be... no way!

I'm not a pessimist, I'm a realist.

Alan ";0)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now