All geek questions in one place

Avoid providing a server connection string in web.config

I am building a site using asp.net MVC. I have two connection strings in web.config, one for the local db and one for the db server. I test my work on the local computer and then host it on the server. the server connection string ( user name and password ) is also located in the web.config file. Tomorrow, when I sell the product, I want to make sure that I do not give this web.config to customers. but this may happen by mistake. How can I prevent this?

+6
source share
2 answers

My suggestion would be to use one of two ways:

A ConnectionStrings.config or Web.Config Conversion . As usual, there are pros and cons for both.

Using a separate configuration file for connection strings

  • Each developer can have a local copy of their connection strings.
  • ConnectionStrings can be flagged for ignore and never tied to the source control.

However - Requires individual management of each client / developer.

Convert Web.config

  • Each connection / assembly string configuration can be source controlled.
  • Requires publishing an application, not just building

but

  • It can be difficult to maintain with a lot of conversions.

Personally, I prefer to have ConnectionStrings.config - I don't like having production credentials in the source control. This also has a good side effect giving a build error if you forget it, so you cannot leave them by mistake.

+4
source

Do not use the username and password in the connection string, but use the built-in protection.

Instead of this.

 User ID=****; Password=****;

Use this.

 Integrated Security=true;

And make sure your login user has access to the local database. And the IIS server has access to the server database.

See here for configuring IIS to access SQL Server.

+2
source

Source: https://habr.com/ru/post/974076/

More articles:


All Articles