>Have you considered someone using Excel next to your application and >connecting directly to your SQL Server to pull data out?
This is the exact reason why I want to change the connection string after the user is validated. I store a username and password in the app.config file for initial user validation. This particular SQL user has only one security right, which is the ability to call a "User Validation" store procedure and nothing else. This way, if someone get the username and password off the app.config file, they can't look at any data or do any damage.
The returning dataset of the successful user validation contains a new SQL username and password which have full access to the database.
Stephen Lee
--------------------------------
Too much to code
Too little time
--------------------------------