>I setup a test environment and have a lot of ASP pages getting data
>from a SQL Server in a CRM application.
>
>But I see one security hole. The password to SQL Server is embedded
>in the ASP code so any user code via the password.
>
>I think this would be a common problem how could one solve this??
Users shouldn't be able to download the ASP source from your server so the password should be safe.
It's better to store the password in an application or session variable created in global.ini Theoretically it's even more difficult for the user to get to the global.ini file contents.
To make things even more secure, make all your data access (from the web) through SQL stored procedures. This way you only grant the web user access to the stored procedures and not the actual tables.