Directory Security? - Level Extreme

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Directory Security?

Message

02/11/2001 14:13:43

Thomas Whiteley
Sunnyvale, Californie, États-Unis

01/11/2001 21:16:42

David Foderick
Net Knowledge
Rancho Santa Margarita, Californie, États-Unis

Information générale

Forum:

ASP.NET

Catégorie:

Autre

Titre:

Re: Directory Security?

Divers

Thread ID:

00576533

Message ID:

00576909

Vues:

David;

For #2 below I use Windows NT Security and use my connection string as an INCLUDE file, with username and password. As you indicated in #1, by using an ASP extention no one can read the source code and thus the connection information is not available. In the course of develoment at my company we create, develop (test) and then go to production on three different servers for the application and yet three other servers for data. I have over 60 forms in one application and one INCLUDE file for my connection string. By changing the text of the one INCLUDE file my work is minimized and yet I have security.

As an aside I have a SQL Server Table and cookies to determine who a user is (after log on) and allow several levels of security down to the object and report level. No members of management are allowed to create or modify data. :) They can look but cannot touch.

Tom

>There are a couple of things you can do.
>#1. Give your #INCLUDEd files an ASP extension, not INC extension. That way if someone somehow gets browse rights to your directory, ASP will compile the file and no output will be generated so they can't see the contents of the file.
>#2. For SQL server, you should use Integrated Windows security and do not specify a username and password in the connection string so even if they could see the connection string, they could not see any username and password.
>#3. Whey you issue ADO commands in your ASP pages, wrap it in and error handler.
>i.e.
>on error resume next
>oConnection.Execute ...
>on error goto 0
>' check the contents of the oConnection errors collection to see if there were errors
>' See ADO connection object for more info
>That way the user does not see the default ASP error text which might give away information about how you are handling your SQL queries.
>
>This is not a complete list, but it should get you started.
>
>- Dave
>
>
>>I've had a web site written in ASP, and want to make sure security is OK.
>>
>>Of course, anonymous visitors need to be able to insert records into our tables, and to to a SQL insert you gotta have connection info.
>>
>>So I'm presuming it's OK to keep that info in ASP and INClude files in any old directory on the web site - assuming that all that info is server side and therefore cannot be easily hacked.
>>
>>True?
>>
>>TIA
>>Michael

Répondre

Fil

Voir

Click here to load this message in the networking platform