|
Home > Archive > IIS ASP > April 2006 > remove connection information from the global.asa file
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
remove connection information from the global.asa file
|
|
| Sylvain 2006-04-27, 7:52 am |
| Hi !
Here's my problem:
I have actually an asp web site which use the global.asa file to connect to
the database but for security reason, I want to put username and password
information (or the complete connection string) in a seperate file so only a
special user could read these informations.
Is someone knows how to do this ?
Thanks very much
Sly
| |
| Evertjan. 2006-04-27, 7:52 am |
| =?Utf-8?B?U3lsdmFpbg==?= wrote on 26 apr 2006 in
microsoft.public.inetserver.asp.general:
> Here's my problem:
>
> I have actually an asp web site which use the global.asa file to
> connect to the database but for security reason, I want to put
> username and password information (or the complete connection string)
> in a seperate file so only a special user could read these
> informations.
>
> Is someone knows how to do this ?
>
I don't understand.
Global.asa is unreadable from the outside,
just like the seperate file you wanted,
and both are readable for the site programmer by ftp or whatever.
================
If you want you can put an include file in the top of all
..asp files you need to access the db in:
<!--#include virtual ="/dir/openDb.asp"-->
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
| |
| Sylvain 2006-04-27, 7:52 am |
| Hi !
Thanks for your answer. In fact, the reason why I want to separate
connection information from the global.asa file is because even the developer
should not have access to username and password, only one user (implementer)
and the application. Developer can have access to global.asa code without
being able to see the username and password.
I don't know if it is possible but if so, I'd like to have username and
password info in only one separate file and affect the value to my connection
string in global.asa.
Thanks for your answers.
"Evertjan." wrote:
> =?Utf-8?B?U3lsdmFpbg==?= wrote on 26 apr 2006 in
> microsoft.public.inetserver.asp.general:
>
>
> I don't understand.
>
> Global.asa is unreadable from the outside,
> just like the seperate file you wanted,
> and both are readable for the site programmer by ftp or whatever.
>
> ================
>
> If you want you can put an include file in the top of all
> ..asp files you need to access the db in:
>
> <!--#include virtual ="/dir/openDb.asp"-->
>
>
>
>
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)
>
| |
| Bob Barrows [MVP] 2006-04-27, 7:52 am |
| In classic ASP, this is not possible without using a COM dll, perhaps
created in VB6.
Sylvain wrote:[vbcol=seagreen]
> Hi !
>
> Thanks for your answer. In fact, the reason why I want to separate
> connection information from the global.asa file is because even the
> developer should not have access to username and password, only one
> user (implementer) and the application. Developer can have access to
> global.asa code without being able to see the username and password.
>
> I don't know if it is possible but if so, I'd like to have username
> and password info in only one separate file and affect the value to
> my connection string in global.asa.
>
> Thanks for your answers.
>
> "Evertjan." wrote:
>
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
| |
| Dave Anderson 2006-04-27, 7:52 am |
| Sylvain wrote:
> Thanks for your answer. In fact, the reason why I want to separate
> connection information from the global.asa file is because even the
> developer should not have access to username and password, only one
> user (implementer) and the application. Developer can have access to
> global.asa code without being able to see the username and password.
>
> I don't know if it is possible but if so, I'd like to have username
> and password info in only one separate file and affect the value to
> my connection string in global.asa.
Aside from Bob's suggestion, you can deny your developer access to your
production environment. Allow him a development environment, complete with
test databases (and test connection parameters).
Even in this scenario, a clever developer might try to embed something that
will reveal the DB credentials to him once his code is moved over. You might
mitigate this by creating a custom class/function that returns an open
connection without exposing any credentials.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
|
|
|
|
|