tags:

views:

222

answers:

3
Q: 

Does an ODBC connection have to use cleartext passwords?

I have been tasked with securing the connection string in an classic ASP application and I'm wondering if I should just bite the bullet and upgrade the whole application to ASP.NET, or if there is a simple fix.

Currently the application connects to an ODBC datasource with a connection string like this:

DSN=Mydb;uid=myuser;pwd=mypassword;DATABASE=mydb

My question is, is it possible to encrypt this password somehow, or to remove ODBC from the equation?

+2  A: 

You can run the web application under a domain user and use integrated security instead of spelling out the user id and password in the connection string.

Otávio Décio  2009-11-02 15:25:34
+1, as long as the database driver supports integrated security (which most do).
devstuff  2009-11-02 15:36:02
Running a web application as a domain user poses a set of other challenges: making sure that this user has the same privileges as the default ASP app identity; maintaining user life cycle (e.g. changing password in IIS when it expires; having to create a separate domain account for DB connection, since using regular user account may not be a good idea); now allowing any other Web app running under this site to connect to the database server; etc. Depending on your environment and requirements, these may not be a big deal, but you at least need to be aware of these issues.
Alek Davis  2009-11-02 19:59:26
+1  A: 

Rather than ODBC, you can consider OLEDB. I generally recommend the latter, (with possible exceptions for example when one need/like the indirection provided by the ODBC configuration which allows switching dbs without changing the application's configuration or source code).

EDIT: in reading the question quickly, I came to he idea that you were using MySQL (all these "my" in the conn. string snippet...), and hence the following my not apply if another database is in use...

However, as you seek to not supply the password in the connection string, it may not be possible to use OLEDB, as MySQL documentation on this type of connection doesn't seem to allow alternate authentications but accountid/password.

You may therefore need/like the ability to call ODBC with integrated security and have the MySQL accountid/password stored at the level of the ODBC configuration for this source. In this fashion the password is not referenced at the application level (but still found in the ODBC config...).
With ODBC the connection string key=value pair for using integrated security is

"Integrated Security=SSPI" 
which I believe is equivalent to 
"Trusted_Connection=yes"

A useful reference for connection strings is aptly named www.connectionstrings.com

mjv  2009-11-02 15:38:43
A: 

Another alternative is to encrypt the connection string using some algorithm (or using some component like RSADLL) and then decrypt the connectionstring in the app.

Do not forget to provide a servicing page to allow administrators to create a encrypted connection string.

Eduardo Molteni  2009-11-02 19:43:39

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps