DB access password
-
Good Afternoon, Can someone please point to me how the architecture of a web site where database access is required should be used… I have a site that connects to a SQL express database and I have a provider setup in the web config file to access the database. If a user logs into the site they will use this username and password to access data and determine if it is a valid user. (This password is at this time unencrypted) If someone should get hold of this password they can have access to the database and do what they want to. Is this correct? Or should I do something else? Also what roles should this common user have? Thanks, Chris
-
Good Afternoon, Can someone please point to me how the architecture of a web site where database access is required should be used… I have a site that connects to a SQL express database and I have a provider setup in the web config file to access the database. If a user logs into the site they will use this username and password to access data and determine if it is a valid user. (This password is at this time unencrypted) If someone should get hold of this password they can have access to the database and do what they want to. Is this correct? Or should I do something else? Also what roles should this common user have? Thanks, Chris
Chris Tiaan wrote:
If a user logs into the site they will use this username and password to access data
Are you talking about the user that is registered into the database. Means are they just a single record from Users table of the Database or they are the actual user which is used to connect to the database. Generally, uid and password can be protected using SSL connection. Yes if you send password unencrypted, it might be exposed to others. But if they are not sensitive enough, it is unnecessary to do Encryption using SSL. For our general websites , We take uid and password and check with db using the connection string(which has UID and password) stored in the server. ;)
Abhishek Sur **Don't forget to click "Good Answer" if you like this Solution.
My Latest Articles-->** Simplify Code Using NDepend
Basics of Bing Search API using .NET
Microsoft Bing MAP using Javascript -
Chris Tiaan wrote:
If a user logs into the site they will use this username and password to access data
Are you talking about the user that is registered into the database. Means are they just a single record from Users table of the Database or they are the actual user which is used to connect to the database. Generally, uid and password can be protected using SSL connection. Yes if you send password unencrypted, it might be exposed to others. But if they are not sensitive enough, it is unnecessary to do Encryption using SSL. For our general websites , We take uid and password and check with db using the connection string(which has UID and password) stored in the server. ;)
Abhishek Sur **Don't forget to click "Good Answer" if you like this Solution.
My Latest Articles-->** Simplify Code Using NDepend
Basics of Bing Search API using .NET
Microsoft Bing MAP using JavascriptHi Abhishek Thanks for your reply. Currently I have the SA user in the config file for testing. ...Which earns me a BAD award :( ...but it is only on my local PC. :) If I were to create a new user to use what rights and roles should I grant the user? Thanks for your reply, Chris
-
Hi Abhishek Thanks for your reply. Currently I have the SA user in the config file for testing. ...Which earns me a BAD award :( ...but it is only on my local PC. :) If I were to create a new user to use what rights and roles should I grant the user? Thanks for your reply, Chris
Chris Tiaan wrote:
If I were to create a new user to use what rights and roles should I grant the user?
How can I answer this.. . It totally depends on your requirement. If you make db_owner, it can do anything. :-D
Abhishek Sur **Don't forget to click "Good Answer" if you like this Solution.
My Latest Articles-->** Simplify Code Using NDepend
Basics of Bing Search API using .NET
Microsoft Bing MAP using Javascript -
Chris Tiaan wrote:
If I were to create a new user to use what rights and roles should I grant the user?
How can I answer this.. . It totally depends on your requirement. If you make db_owner, it can do anything. :-D
Abhishek Sur **Don't forget to click "Good Answer" if you like this Solution.
My Latest Articles-->** Simplify Code Using NDepend
Basics of Bing Search API using .NET
Microsoft Bing MAP using JavascriptHi What I dont understand is if I were to make it the DB owner. What prevents someone from getting that login and password onto my database and change data? can the config file be access from the outside word? Many Thanks, Chris
-
Hi What I dont understand is if I were to make it the DB owner. What prevents someone from getting that login and password onto my database and change data? can the config file be access from the outside word? Many Thanks, Chris
-
Hi What I dont understand is if I were to make it the DB owner. What prevents someone from getting that login and password onto my database and change data? can the config file be access from the outside word? Many Thanks, Chris
I dont think from ASP.NET, anyone can get the UID and password as it is secure and cant be called. If you are unsure that someone else who have access to the server can see it through file system, you can also make use of encryption of web.config. Now regarding the role, you can either make it db_owner or sys_admin based on the requirement. ;)
Abhishek Sur **Don't forget to click "Good Answer" if you like this Solution.
My Latest Articles-->** Simplify Code Using NDepend
Basics of Bing Search API using .NET
Microsoft Bing MAP using Javascript