Storing Connection String on Database

Question

I couldn't find a question that would fit this purpose, so I'm asking it.

We have deployed an ASP.NET website that has two Connection Strings, one of them can be configured by the user, in runtime. The problem is, since I'm using .NET Framework to do this, it creates a temporary file by the time the web.config is altered, which forces my customer to grant full rights to the entire website folder, not just the web.config file. He's not happy about it, and manager's are questioning storing the other connection string in the same config file.

So I have the options of creating a separate config file, in a separate folder, so that they should only grant full rights to that folder, or store it on the database. The first option is about the same as it is now, so the question is:

What about storing the ConnectionString on the database?

Note that I'm not talking the application ConnectionString, but an alternative, since this application is going to integrate like three applications.

So guys, give me advantages and disadvantages, good and bad points of storing it on the database.

Answer 1

I wouldn't store Connection Strings in the database.

I would use a Settings File instead (Settings files can be modified at runtime without causing recompilation of the application like web.config).

You can also give different settings different scopes (User, Application, etc.) so each user can store their own configuration if you'd like without stepping on anybody else's toes.

Answer 2

If the user is using the application which has it's own database to connect to a 2nd database of his choosing and need to be able to change that at runtime, then yes, store it in the database. Is this some sort of self service hosting application?

Settings file are for things that are to be changed by the an administrator. When the application user (or the application developer) and not the system administrator is expected to make the change in the settings file, then it's better to put it in a database.

Answer 3

Store it in the DB

If it is part of data about your user and not related to this application's settings, I would store it in the DB verses any another place. It's no different than any other user data.

Benefits

1. Not stored anywhere the public can get at it - although the ISAPI filter for ASP.net won't allow access to it normally, but you never know what exploit will pop-up next
2. Easy to relate it to your user's other data - since it's linked to your site's users, this is useful
3. No security issues - no need to set any special permissions anywhere

Answer 4

You can use something like this on your web.config

<add name="ConnectionString" connectionString="Data Source={0};Initial Catalog={1};User ID={2};Password={3}" providerName="System.Data.SqlClient" />

And then use string.Format() to set the diferent values of each parameter.