jestermax Member Posts: 1064 From: Ontario, Canada Registered: 06-21-2006 |
hey, i'm doing a manual database query in an aspx page (the standard MS controls were somewhat lacking for what i want). i'm storing the connection string in the web.config file and i'm going to encrypt it when i deploy it. but now comes the question: whats the best way to handle the query? as in where should i store it? should i put it in the web.config file as an appsetting? i more just want a "best practices" thing here.
[This message has been edited by jestermax (edited January 24, 2007).] |
SSquared Member Posts: 654 From: Pacific Northwest Registered: 03-22-2005 |
I have no direct experience with ASP.NET, but have used similar technologies. Why can't you put the query in the ASP.NET page? Or make a call into an Assembly containing the query you want to use? If you are worried about someone seeing the query or knowing some underlying code, keep in mind, the ASP code is not exposed to the user. They will only see the output and results of the ASP.NET code...that is, they will see the HTML output created by your ASP.NET code. |
|
jestermax Member Posts: 1064 From: Ontario, Canada Registered: 06-21-2006 |
i'm just making it the best i can. i REALLY don't like to write code that isn't professional. From a security standpoint i want to try to encapsulate everything as much as i can, especially database query code. I ended up writing a stored procedure for my select query so i think that'll fix my problem. Theres always someone that'll try to break the system, for example, yesterday i was managing some user accounts and i kept getting forwarded to a spam page. It took me a couple hours (yes, sad i know) to realize that someone make a script injection attack for a user account. It called the script whenever an aspx page containing the user info was rendered. this includes the .net application configuration page. |
|
SSquared Member Posts: 654 From: Pacific Northwest Registered: 03-22-2005 |
Stored procedures are a good way to go.
quote: This is why I suggested putting the queries in a .NET Assembly (DLL, for example). The DLL is located on the server outside of the actual server directories, making it impossible for users to access directly. Hacking is certainly a big issue. When reading tutorials, they should cover security issues fairly well. At least that's what I found when I was studying Apache, MySQL, and PHP. The tutorials gave all sorts of hints/tips to keep things secure...things like where to store the login information (the ConnectionString in .NET) so users can't get to it. |
|
jestermax Member Posts: 1064 From: Ontario, Canada Registered: 06-21-2006 |
well in ASP.NET you can set it to encrypt the connection strings in the web.config (the web.config is already hidden from users but you never know). Actually i haven't read any tutorials when i learned asp.net (which was a week ago or something like that). well, i shouldn't say that, i watched a few videos on how to create data-driven websites. they talked about all the security you get right out of the box with asp.net but never got into specific cases. |
