Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
sushi
Starting Member
2 Posts |
 Posted - 2008-04-21 : 04:55:08
|
| Hi,We have this web application (asp classic) that needs to connect to SQL 2005 server. Can somebody help me on how can I encrypt the password as well as the ID used in connecting to the server (SQL 2005 server)? Is it possible to encrypt the password and ID being used in the connection string? Any reply from you guys would be appreciated. Many thanks! =) |
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2008-04-21 : 07:13:16
|
| I don't know about encrypting the password, but are you able to use integrated security instead (windows-acounts)? Then you don't need a password... If the servers are in the same domain you should be able to do this, or if you create a local windows account with *exactly* the same name and password on both the webserver and the db-server, and set up IIS to run with this user you should be able to use integrated security. Maybe not the best way to do it but it actually works quite well...--Lumbago |
 |
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2008-04-21 : 07:15:21
|
Another option is to save the password in the registry and create a COM-object to handle connections to the database. But I'm getting rusty so you'd be better off google'ing for that one  --Lumbago |
|
|
|
sushi
Starting Member
2 Posts |
Posted - 2008-04-30 : 03:53:47
|
| Hi Lumbago, thanks for your inputs though I still have a question with regards to the encryption. Given the sample code below:<% Option Explicit Response.Buffer = True Session.timeout = 60 Session.Contents("SQLConnection") = "Provider=SQLOLEDB.1;Persist Security Info=True;User ID=app_user;Password=app_password;Initial Catalog=app_DB;Data Source=ABCD1234" dim loginCookie dim loginName loginCookie = Request.Cookies("MyPage") if loginCookie <> "" Then loginName = Request.Cookies("MyPage")("login") end if if (cstr(Request.QueryString("status"))) = "logoff" Then Session.Contents("City") = "" end ifdim mySQLdim rsTempDim dbnDBSet dbnDB = Server.CreateObject("ADODB.Connection")dbnDB.ConnectionString = Session.Contents("SQLConnection") dbnDB.Open mySQL = "SELECT City FROM app_Password GROUP BY City"set rsTemp=dbnDB.execute(mySQL)if rsTemp.eof then Response.Write("No Data for <BR>") Response.Write(mySQL) dbnDB.close set dbnDB=nothing Response.Endend if%> The code above is included in the default page of the application, we don't have a separate page for the connection string. I need to encrypt the credentials used in this page as per security standard. Do i need to remove this code in the default page and create a separate page for the encryption of the connection strings? Or is it possible to encrypt the credentials within the default page itself? Sorry for the questions but I'm not really that technical especially with asp classic. Any response would be greatly appreciated. Thanks in advance. |
|
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2008-04-30 : 04:06:47
|
| As far as I know ADO doesn't support encryption of parameters and since the database doesn't accept an encrypted password you'll have to decrypt it somewhere before it hits the database and there is your problem. Your best bet is to either use integrated security or to have the password in registry. As far as I know there is no way of encrypting the connection string like you're suggesting.--Lumbago |
|
|
|
|
|
|
ASP connection string encryption