how sqlConnection hides the password of the connection string

Question

Hi all, I'm making a component which uses some data to connect to a database, this data includes user id and password, it store those values in private variables but any programmer can see the value in the debugger after the initialization, so I'm wondering how the SqlConnection does to hide that value, when I see the value of the property ConnectionString I see all the info except the password, its storing it somewhere but its not making it visible, even in the debugger i cant see any variable that's storing the password, I know i can secure the password using SecureString but I'm wondering how is the implementation of SqlConnection object.

Thanks.

Juan Zamudio

Answer 1

From the manual:

The ConnectionString is similar to an OLE DB connection string, but is not identical. Unlike OLE DB or ADO, the connection string that is returned is the same as the user-set ConnectionString, minus security information if the Persist Security Info value is set to false (default). The .NET Framework Data Provider for SQL Server does not persist or return the password in a connection string unless you set Persist Security Info to true.

I'm not sure about how this is implemented. My unverified guess is that it fills a structure with the security parameters it then sends to the server, never actually storing them unless you set Persist Security Info to true.