We have recently hired new developers. Until now, we only have one developer who was committing all his changes on Visual SVN. But after new developers are hired, we are concerned about the security of our SQL credentials that reside in the web.config.
We either want (Not Prefered) to exclude web.config from the SVN and have all developers include their own version of web.config, which contains their SQL Connection string of the test machine. But we really don't need that. We want to have a class handle our sql connection string. That class should be designed in such a way that only the authorized computer should be able to connect to the production Sql server.
How does other teams tackle such an issue? can somebody help please?
You can store your connection strings in a seperate config file. You can use the configSource property to reference that file. That way, all developers will have their own connection strings. You add that specific file to the SVN ignore list, so it won't be sent to the SVN server when a commit is made.
<connectionStrings configSource="Config\connectionStrings.config"/>
Here's an example for the connectionStrings.config file:
<?xml version="1.0"?>
<connectionStrings>
<add name="Name"
providerName="System.Data.ProviderName"
connectionString="Valid Connection String;" />
</connectionStrings>
There should be nothing else in the file. Just the <connectionStrings>...</connectionStrings> content. Also, check the MSDN documentation to see how the configSource attribute should be used.
Related
The program I'm writing accesses a database. So when I use the SqlConnection() class, I hard code the actual connection string as a parameter. Eventually I'd like o deploy this program to different users. So my question is:
When a user installs a program on their computer, how does the new connection string get created, where is it stored, and how can I access it?
Thanks for the help
You need to out it in a configuration file and load it from there. For an ASP.NET application it would be in the web.config file;
<connectionStrings>
<add name="MyConnection" connectionString="MyConnectionString" />
</connectionStrings>
and then use
string connectionString = ConfigurationManager.ConnectionStrings["MyConnection"].ConnectionString
in your application.
The for each installation it would be configured for the local requirements.
For a desktop application the details are different but the principle is the same.
See references in answer from Luis Sagasta
As explained in MSDN, you should save the connection string in the configuration file:
MSDN: Connection Strings and Configuration Files
In the same article you will find information about encrypting the configuration section:
MSDN:Encrypting Configuration File Sections Using Protected Configuration
Regards.
I am preparing a single tool(web application) using which i should be able to change web.config file of various web applications hosted on different web servers.
I tried using WebConfigurationManager.OpenWebConfiguration(strings), but it takes only relative path but if i put shared location of different web servers web.config files, it fails.
MSDN ref:
https://msdn.microsoft.com/en-us/library/ms151456(v=vs.110).aspx
I think, in my case i will not be able to use WebConfigurationManager.OpenWebConfiguration.
Only option is XDocument.
Please suggest.
In past projects, I have used base and transform files with success: https://msdn.microsoft.com/en-us/library/vstudio/dd465318(v=vs.100).aspx.
As an example, we have a connection string in our web.config.base file like:
...
<connectionStrings>
<!-- Connection String Changes will be lost when this file is
regenerated - Please edit your transform file instead -->
<add
name="MainConnectionString"
connectionString="(default connection string)" />
and an entry in a web.config.transform file that looks like:
<connectionStrings>
<add name="MainConnectionString"
connectionString="(system-specific connection string)"
xdt:Transform="Replace"
xdt:Locator="Match(name)"
/>
The the web.config file is recreated when the application builds, with whatever connection string is defined in the local transform file replacing the default string. The web.config.base file is committed to our versioning system, while the transform is not.
So devs can have one transform file to connect to their local db's, qa servers have a different transform file, and demo servers have a different set again, all with a minimum of fuss, because most settings are kept in the web.config.base file, which is passed around with the repository, and only the connection string changes have to be maintained from one environment to the next.
I am developing a web app with a group of people and we all have different connection strings to our database.
The connection string is stored in our web.config which is source controlled, and sometimes people check in their web.config with their connection string which messes up my environment.
I want to use an environment variable that if exists will override the connection string in my web.config. How can I do that?
As others have noted in your comments there is no easy way to stop people from changing any file that is under source-control. However, what you could do is change your web.config file to have:
<connectionStrings configSource="Configs\ConnectionStrings.config" > </connectionStrings>
Then have a folder called Configs and in there a file named ConnectionStrings.config with content like:
<connectionStrings>
<add name="YourVersionHere" ... />
</connectionStrings>
That way you can check the web.config file in / out without it altering your connection string (it is now held in a separate file). Of course, this doesn't get you out of jail because they can then overwrite the ConnectionStrings.config file but it does allow you to break your config out so you can always be up to date with all the settings but never do a GET on your ConnectionStrings.config file.
The same applies to AppConfig etc. Basically allows you to manage your config in smaller chunks rather than all in one place.
You can get more information here: http://msdn.microsoft.com/en-us/library/system.configuration.sectioninformation.configsource.aspx
Is it possible for you to move your connection strings from your application-level web.config down to your system-level machine.config file?
I've reviewed the post How to configure Fluent NHibernate with MySQL, but I'm relatively new to MySQL and I need to actually set up with connection string itself. I've installed MySQL as part of a WAMP install and need to fill in the actual connection string. Can someone help me by extending the linked answer to actually contain a full connection string example?
Appreciated.
Edit: I've tried several different things and I keep getting the following error message:
Can't load file FluentConfiguration.cs under d:\Builds\FluentNH-v1.x-nh3\src\FluentNHibernate\Cfg.
Check the file permission and the existence of that file.
I installed FNH via nuget, and I don't understand why it's looking at that path, as the d: drive is my CD and not a harddisk. Very confused.
The error you've pasted looks like Visual Studio trying to localise the sources to show you where the exception comes from. This is not the real exception message - you should have it somewhere there and it's probably something about wrong configuration.
If you've installed WAMP with default settings, it is configured to listen on 3306 port and have only local root account without password. So your connection string should look somehow like that:
Server=localhost; Port=3306; Database=[database_name_here]; Uid=root; Pwd=;
(Pwd= part may be not needed at all).
So you need to paste it in your App.config/Web.config's <connectionStrings> section:
<connectionStrings>
<add name="ConnectionString"
connectionString="Server=localhost; Port=3306;
Database=[database_name_here]; Uid=root; Pwd=;"
providerName="System.Data.SqlClient" />
</connectionStrings>
and then use the solution from linked question:
MySqlConfiguration.Standard.ConnectionString(
c => c.FromConnectionStringWithKey("ConnectionString")
)
Alternatively, you can paste the connection string directly in your Fluent's configuration, like this:
MySqlConfiguration.Standard
.ConnectionString.Is("Server=localhost; Port=3306;
Database=[database_name_here]; Uid=root; Pwd=;")
Anyway, this default root/no password configuration can be used only for local development and testing purposes.
First, forgive my english.
My group and I are planning to do an application. This application can be installed to other machines, and should connect to a server and the database is password protected.
As a student, we always do this in a naive way:
SqlConnection myConnection = new SqlConnection("user id=username;" +
"password=password;server=serverurl;" +
"database=database; " +
"connection timeout=30");
Always hardcoded.
What if we change the password of the database, or chage our server?
We have also to change the values in our code, recompile and reinstall the application in the pc. Is there something dynamic way of doing these?
We are thinking that in the first run of the application, the user will be prompted for the connection details and save that data into a file where the application will fetch it everytime it starts and use it for database connection, but there's a password involved.
Any suggestion, ideas, concepts, samples, etc...? How to do it in more professional way? Please help... Thanks.
You could store the database settings in app.config
http://www.ezzylearning.com/tutorial.aspx?tid=8067328
you could store your credentials in the config file - that way no need to recompile the project every time the password changes.
The config file can be encrypted too, so you could only change the password via the application you're making.
Windows lets you encrypt files, so that only processes running as the owner can read them. You could store the passwords in a file and encrypt it. See File.Encrypt on MSDN.
This would only be one factor in the security model. You probably also want to encrypt the file at the application level so malicious software that the users run doesn't sniff around for passwords.
There are several ways to do this. First off all you may save your connectionString in an app.Config/web.config file. Your connection objects may access this string by using
PROJECTNAME.Properties.Settings.Default.YOURCONNECTIONSTRINGNAME
Your app.config file may look something like this
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<configSections>
</configSections>
<connectionStrings>
<add name="Winforms_Demo.Properties.Settings.dbNordwindConnectionString"
connectionString="Data Source=(local)\SQLEXPRESS;Initial Catalog=dbNordwind;User ID=sa"
providerName="System.Data.SqlClient" />
</connectionStrings>
</configuration>
As you can see this possibility still saves any user credentials hardcoded (although you may change them by manually editing the config.file (even after compiling). You may create such a config file by adding a new datasource to your project (e.g. sql server datasource). The wizard will then ask where to save your connectionString.
Another possibility will be connectionStringBuilder. This class offers some properties:
SqlConnectionStringBuilder conbuild = new SqlConnectionStringBuilder();
conbuild.InitialCatalog = "dbNordwind"; // database name
conbuild.IntegratedSecurity = false; // true if you use winAuthent
conbuild.UserID = "sa"; // e.g get this info by showing a authent form
conbuild.Password = "123";
conbuild.DataSource = "servername";
SqlConnection con = new SqlConnection(conbuild.ConnectionString);
Using this method you may even access a file and read any required data. In this case you have to look into security measures for your file!
Securing your file may be done by encrypting it (System.Security namespace) or saving data into any isolatedStorage (user specific - windows security will be used) or by using "aspnet_regiis -pef" to crypt any config-file.